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FINANCIAL PRIVACY AND 
CONSUMER PROTECTION 


THURSDAY, SEPTEMBER 19, 2002 

U.S. Senate, 

Committee on Banking, Housing, and Urban Affairs, 

Washington, DC. 

The Committee met at 10:07 a.m. in room SD-538 of the Dirksen 
Senate Office Building, Senator Paul S. Sarbanes (Chairman of the 
Committee) presiding. 

OPENING STATEMENT OF CHAIRMAN PAUL S. SARBANES 

Chairman Sarbanes. The hearing will come to order. 

This morning, the Committee meets to hear testimony on the 
issue of financial privacy and consumer protection. At the very out- 
set, I want to acknowledge the interest and the contribution which 
Senator Shelby has made regarding this issue and I am pleased to 
be working with him on it. 

Senator Shelby. Thank you, Mr. Chairman. 

Chairman Sarbanes. During the past few years — even longer, 
actually — there have been growing concerns over the way con- 
sumers’ personal and financial information is shared or sold by 
their financial institutions. In 1999, when we did the major revi- 
sion of the structure of the financial industry, after considerable 
debate, we enacted certain Federal privacy protections, although 
many perceived them as not to be fully adequate to the challenge, 
and therefore, financial privacy remains a critical issues. 

The amount of sensitive personally identifiable financial informa- 
tion that, under current Federal law, can be circulated is vast. It 
includes savings and checking account balances, certificates of de- 
posit maturity dates and balances, any check which an individual 
writes, any check that is deposited into a customer’s account, stock 
and mutual fund purchases and sales, life insurance payouts, and 
other data. The universe of consumer data that the financial insti- 
tutions can collect, warehouse, and then either share or sell is 
increasingly growing, some think at a very rapid pace. Modern 
technology makes this sharing cheaper, quicker, and easier than 
ever before. I think the real issue is that much of this is done with- 
out the knowledge or the approval of the customer regarding the 
specific information being transferred or the specific affiliated or 
nonaffiliated company to whom it is either being sold or shared. 

Financial privacy is in many respects a fundamental right that 
all consumers should enjoy. And obviously, if that is the case, if it 
is not adequately protected, we can have abuses. 

( 1 ) 
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Recent reports and surveys indicate the public’s ongoing con- 
cerns. Dr. Alan Westin of Columbia University, who heads Privacy 
and American Business, wrote this year: “Both on and off the 
Internet, consumers are more concerned about privacy today than 
they have been at any point over the past 2 years.” A survey pub- 
lished this year by that group and sponsored by the AICPA and 
Ernst & Young found that 79 percent of respondents agreed with 
the statement: “Consumers have lost all control over how personal 
information is collected and used by companies.” The same survey 
found that the number of respondents who disagreed with the 
statement: “Existing laws and organizational practices provide a 
reasonable level of protection for consumers today.” That was the 
statement, that existing laws and practices provided a reasonable 
level of protection. The number disagreeing with that statement 
has gone from 38 percent in 1999 to 62 percent in 2001. 

We obviously need to address the issue of whether consumers 
should have the right to choose whether his or her bank or other 
financial institution may circulate private financial information to 
others for purposes that the consumer may never have originally 
intended. 

At today’s hearing, we will hear testimony with respect to a 
number of questions: Do consumers continue to be concerned about 
their financial privacy, the privacy of nonpublic personally identifi- 
able data held by financial institutions? What types of concerns do 
consumers have about the possible uses of their financial informa- 
tion? Are the minimum financial privacy protections in Federal law 
adequate to meet the consumer’s concerns? What recommendations 
would panelists make to the Committee regarding financial privacy 
protection? 

We have a number of very able witnesses with us this morning. 
In a sense, I apologize for the breadth of the panel, but we had 
many people that we wanted to hear from. I think what I will do, 
in view of that, is I will introduce each witness as we come to 
them, rather than introducing them all here at the outset because, 
by the time we get to the last witness, they may have forgotten 
what was said about them. 

[Laughter.] 

So before I begin the process of going to the witnesses, we thank 
all of you for coming today, we very much appreciate your partici- 
pation, I yield to my colleagues for any opening remarks. 

First, I turn to Senator Shelby. 

STATEMENT OF SENATOR RICHARD C. SHELBY 

Senator Shelby. Thank you, Mr. Chairman. Thank you for call- 
ing this hearing. And I also want to thank you for your long-time 
interest and work in this area. We worked together on a number 
of initiatives dealing with financial privacy and I believe we will 
continue to work those issues because the more I see and talk to 
the American people, most of them do not realize what is going on 
yet. But they are learning. And hearings like this certainly help. 

Mr. Chairman, the subject of financial privacy is one that is very 
important to all of us and requires the Committee’s thorough con- 
sideration, as you realize. 
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I want to thank the witnesses for taking the time to come here 
to share their views and experiences with us. And I look forward 
to hearing from all of you. 

This issue of privacy is not a new one. In one way or another 
there has been an ongoing debate about privacy since the founding 
of this country. However, the issue has clearly evolved over time 
as a range of specific incidents and general trends have raised pub- 
lic concerns about new or different threats to our privacy. Where 
once only the Government possessed the ability to obtain and the 
means to exploit vast amounts of personal data, technology now 
makes it possible for just about anyone to collect, to store, to sell, 
or to do just about anything that they want to with a lot of our pri- 
vate items. 

I believe that the existence of such capabilities requires that we 
carefully, here in the Congress, examine the pros and cons of its 
use relative to the disclosure of personal information. Furthermore, 
as we move forward, I think it is extremely important that we con- 
tinue to pay close attention to the significant role that technological 
capability is going to play in this debate. Consumer and industry 
demand for faster and more reliable information exchange is only 
going to increase. As technological capabilities are expanded to 
keep up, new and unforeseen issues concerning the use of sensitive 
personal financial information I believe will continuously arise. 

While it may not be possible to develop rules that deal with 
every possible scenario involving the use of confidential financial 
information, I believe the American people will demand that we es- 
tablish some basic principles that will guide our future efforts. 

In order to do this I believe that it is important for this Com- 
mittee, the Banking Committee, to draw from a broad range of per- 
spectives in considering the basic questions regarding the various 
Federal laws touching on financial privacy. For instance: Are such 
laws effective? Are they targeted to consumer concerns? Do con- 
sumers even understand them? I am going to ask that again: Do 
consumers even understand them? Are they in sync with today’s 
marketplace? What restrictions do they place on business activity? 

Additionally, in light of the fact that the States play an impor- 
tant role in this area, I think it is also essential for us to gain a 
better understanding of their efforts and to consider some basic 
questions about their activities. For instance: Do State officials 
have a greater perspective or awareness regarding the trends or 
concerns about financial privacy? What value is provided by pre- 
serving a State legislative role, thanks to Senator Sarbanes? What 
value is provided by preserving strictly a State enforcement role? 
How does State activity impact the financial services industry? 

It is my hope that this is just the first, Mr. Chairman, of what 
I hope are a whole series of opportunities to consider this issue. I 
look forward to a productive and informative dialogue here and I 
thank you for this hearing. 

Chairman Sarbanes. Thank you very much, Senator Shelby. 

Senator Stabenow. 

STATEMENT OF SENATOR DEBBIE STABENOW 

Senator Stabenow. Thank you, Mr. Chairman. And to you and 
to Senator Shelby, thank you for your leadership. 
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I think this is one of the most important issues that we face as 
we move forward at this time, and I appreciate the fact that we 
have so many people willing to share their expertise with us today. 

This is a topic that, in our increasingly sophisticated world, is 
one that consumers are extremely concerned about, as has been in- 
dicated. We know that our financial decisions can be recorded, ana- 
lyzed, shared, and sold, and consumers want to know that they 
have a basic level of privacy. We all want to know that we have 
that basic level of privacy. 

When we passed the privacy provisions of Gramm-Leach-Bliley, 
we were breaking new ground. We gave the public a certain degree 
of control, but not as much as many would have liked. And since 
the Act was passed in 1999, the regulators have had the oppor- 
tunity to set standards, as we know, and financial institutions have 
been complying with the law. 

Now it is appropriate to reflect on that legislation and how it is 
being implemented and where we should go from here. Is it suffi- 
cient? Is it being implemented effectively? As Senator Shelby said, 
do consumers really understand their privacy rights? Are the an- 
nual financial privacy disclosures effective or simply thrown away 
with all of the other things that come in the mail? What are regu- 
lators doing to make sure that these disclosures meet the spirit of 
the law? 

I also believe it is important to look at States, as Senator Shelby 
was mentioning. I know there have been a number of serious de- 
bates going on in States. In particular, there has been a lot of focus 
on North Dakota and California. I suspect the discussions will con- 
tinue, from Sacramento to my hometown of Lansing, Michigan, to 
Annapolis, all across the country, this will become more and more 
of a debate and discussion, as it should. 

So, Mr. Chairman, thank you again for what I think is a very 
important hearing. I hope this helps us lay a foundation as we 
move into the next Congress to focus on this issue, which I know 
is of deep, deep concern to the American public. 

Chairman Sarbanes. Thank you very much, Senator Stabenow. 

We will now turn to our panel. We will first hear from Attorney 
General William Sorrell, who has been the Attorney General of the 
State of Vermont since 1997. Attorney General Sorrell is the Vice 
President of the National Association of Attorneys General and Co- 
Chair of its Consumer Protection Committee. Earlier, he served as 
Vermont’s Secretary of Administration. 

Mr. Attorney General, we are very pleased to have you here. 

STATEMENT OF WILLIAM H. SORRELL 
ATTORNEY GENERAL, THE STATE OF VERMONT 

Mr. Sorrell. Thank you very much. 

Chairman Sarbanes. I think if you pull that microphone close to 
you, it will be helpful to all of us. 

Mr. Sorrell. Good morning. 

Chairman Sarbanes. That is better, yes. 

Mr. Sorrell. Thank you for inviting me to speak with you today 
on the important issue of financial privacy. 

The State Attorneys General are grateful for the work of this 
Committee on this important consumer issue and we especially 
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want to commend Chairman Sarbanes and Senator Shelby for 
working so hard to address these issues in a bipartisan fashion. 

As this panel of witnesses demonstrates, concerns about the pri- 
vacy of consumers’ financial information is neither a Democratic 
issue, nor a Republican issue. It is not a liberal issue, nor a con- 
servative issue. Rather, it cuts across traditional party and philo- 
sophical lines to touch all of us who are concerned about protecting 
our citizens. 

The Chairman did indicate that I am the Vice President of the 
National Association of Attorneys General. But I want to make 
clear for the record that I am here for myself and representing my 
Office of Attorney General for the State of Vermont. 

I am not here purporting to speak for the entire National Asso- 
ciation of Attorneys General. 

Chairman Sarbanes. As they say on those ads that they put in 
the paper when they get all those academics to sign and give their 
institutions, just for the purpose of identification. 

[Laughter.] 

Mr. Sorrell. Thank you very much, Mr. Chairman. 

[Laughter.] 

Along with my esteemed colleagues on this panel, I am here 
today to tell you that the privacy provisions of Gramm-Leach-Bliley 
are not working. Although this Committee worked hard to enact 
provisions to eliminate the abusive practices that were uncovered 
by the State Attorneys General in 1999, in fact, these practices are 
continuing largely unabated. 

I strongly recommend that this Committee undertake a thorough 
examination of the effects of Gramm-Leach-Bliley and the related 
regulations implemented by the Federal regulators in order to de- 
termine whether the law, as interpreted by the Federal agencies, 
carries out your intent. I believe you will find that it does not do 
so. I also believe you will want to enact strong provisions to correct 
problems that have arisen under Gramm-Leach-Bliley. 

What are some of these problems that consumers are facing? 

First and foremost, the unfortunate telemarketing practices that 
were uncovered in 1999, by Minnesota Attorney General Hatch are 
continuing. The U.S. Bancorp case demonstrated that major finan- 
cial institutions were facilitating abusive telemarketing by selling 
their customers’ account numbers and other nonpublic personal 
financial information to vendors, who then turned around and sold 
consumers memberships in travel clubs, gardening clubs, esoteric 
insurance products, often through improper use of information pro- 
vided by the financial institution. 

This Committee wanted to put a stop to such practices, and so 
prohibited financial institutions from sharing account numbers. 
But the Federal agencies responsible for interpreting the law allow 
financial institutions to share or sell encrypted account numbers or 
other unique identifiers, thereby giving the telemarketers essen- 
tially the same access to consumers’ accounts as before. 

So just as was the case prior to Gramm-Leach-Bliley, an eager 
telemarketer, paid on commission, is able to convert a consumer’s 
ambiguous statement of interest into a purchase. The telemarketer 
simply informs the financial institution that a charge should be 
processed on that consumer’s account. The telemarketer doesn’t 
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need the actual account number because the bank will convert the 
encrypted number or unique identifier into the account number for 
processing the charge. The consumer doesn’t know how the charge 
appeared on her account since she never gave out her account 
number. In many instances, she doesn’t even know she made a 
purchase. 

This Committee should undertake a thorough investigation of 
these continuing abusive telemarketing practices and afford greater 
protection to consumers in this regard. 

Gramm-Leach-Bliley is also not working because the notices re- 
quired under the law are fundamentally incomprehensible to too 
many consumers. My written testimony fully covers the surveys 
and studies that demonstrate the dense writing of these notices, as 
well as the correspondingly high reading levels required to under- 
stand them. 

I thought, and with the Committee’s indulgence, that I might 
just take a moment to read just one paragraph from one of these 
notices. This should serve to give the Committee a flavor of what 
consumers face in trying to decipher these notices and the excerpt 
I will read is from the American Bankers Association model, 
Gramm-Leach-Bliley privacy policy notice, that it sent out to its 
members for use in their notices. 

And in that notice, and I believe the average American household 
received roughly eight or more of these notices, under the heading, 
What Information We Disclose, if you get down in the body of the 
notice, here is what you find: 

We may disclose nonpublic personal information about you to the following types 
of “affiliates” (i.e., companies related to us by common control or ownership) and 
“nonaffiliated third parties” (i.e., third parties that are not members of our corporate 
family). Financial service providers, such as mortgage bankers, security brokers- 
dealers, and insurance agents. Nonfinancial companies, such as retailers, direct 
marketers, airlines and publishers. And others, such as nonprofit organizations. 

If you prefer that we not disclose nonpublic personal information about you to 
such nonaffiliated third parties [with respect to this loan or account], you may opt- 
out of those disclosures, that is, you may direct us not to make those disclosures 
(other than disclosures permitted by law). If you wish to opt-out of disclosures to 
nonaffiliated third parties, you may call the following toll-free number. 

I hope I have made my point. 

It stretches credulity to think that average consumers can read- 
ily work their way through these obtuse notices and reach a basic 
understanding of their rights to control the sharing of financial in- 
formation. And then to make informed choices in this regard. 

This is exactly why the Attorneys General of 44 of the States and 
territories recently called on the Federal regulatory agencies to 
create standard notices to require much simpler language so that 
consumers can more readily understand the notices. 

This Committee should give serious consideration to requiring 
standard privacy notices similar to the nutritional notices that are 
required in the Federal Nutritional Labeling and Education Act. 

This Committee had the wisdom to ensure that States would 
have the authority to go further than Gramm-Leach-Bliley to enact 
more protective laws governing financial privacy. 

We hope the Committee will continue to allow States to protect 
their citizens as they see the need to do so. Indeed, several States 
had enacted more protective laws governing financial privacy prior 
to the adoption of Gramm-Leach-Bliley. Because consumers contin- 



7 


ued to be very concerned about the protection of their personal fi- 
nancial information, States have continued to adopt laws that are 
more protective than Federal law. 

Currently, there are six States that have enacted laws that re- 
quire some form of opt-in before financial information can be 
shared by banks, and 14 States have enacted laws that require 
some form of consumer consent before financial information can be 
shared by insurance companies. 

As my co-panelist, Representative Kasper, will describe, North 
Dakota voters recently adopted a referendum reversing the State 
legislature’s repeal of that State’s opt-in law, thereby putting that 
State’s banking opt-in law back on the books. In addition, two Cali- 
fornia localities, San Mateo County and Daley City, have recently 
adopted ordinances requiring affirmative consumer consent before 
financial information may be shared. 

These State and local laws are a reaction to the problems associ- 
ated with Gramm-Leach-Bliley and an effort by these governments 
to exercise the power given them by this Committee under Section 
507, to provide consumers with protections greater than those af- 
forded under Federal law. 

The sharing of financial information among corporate affiliates 
remains another real concern. Should a consumer who opens an ac- 
count with Citibank, for example, expect that, for purposes of 
“preacquired account marketing,” her account number will be 
shared with Travelers Insurance or any of the other 2,761 affiliates 
within Citigroup? The number and the breadth of affiliates cur- 
rently associated with some of the country’s major financial institu- 
tions is truly astounding. 

In addition to the Citigroup’s 2,761 affiliates, the web site of the 
Federal Reserve lists 1,476 corporate affiliates for Bank of America, 
and 871 affiliates for KeyCorp, which is considered to be a mid-size 
bank. 

A perusal of these corporate affiliate lists demonstrates that 
these holding companies appear to be involved in widely disparate 
activities, including insurance, securities, international banking, 
real estate holdings and development, and equipment leasing. 

So a consumer holding a credit card with the lead bank or an in- 
surance policy with a major insurer in any of these affiliate groups 
would not expect that his or her account number would be spread 
throughout the corporate affiliate structure for the purpose, not of 
servicing the consumer better, but of marketing products to the 
consumer. 

This Committee should require that financial institutions give 
consumers an effective choice before nonpublic personal financial 
information can be shared among affiliates. 

Moreover, the Congress should direct that the standard financial 
privacy notices to be created by the Federal regulatory agencies 
contain a standard format for information about affiliate-sharing 
practices and consumers’ choices to prevent such sharing. 

Mr. Chairman, I referred to the following documents* in my writ- 
ten and oral testimony. I would like to have them submitted into 
the record: Affiliate lists for Bank of America, Citigroup, and 


*Held in Committee files. 
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KeyCorp; a report from my office and our Department of Banking 
and Insurance; an interim report to the Vermont legislature on fi- 
nancial privacy; the final of such report; and the American Bankers 
Association sample privacy notice. I hope those and my written tes- 
timony will be accepted into the record. 

Chairman Sarbanes. They will be held in Committee files. 

Mr. Sorrell. Thank you very much for this opportunity. 

Chairman Sarbanes. Thank you very much. We very much ap- 
preciate hearing from you. 

We will now turn to Fred Cate, Professor of Law at the Indiana 
University School of Law in Bloomington, Indiana, and a Senior 
Policy Advisor at the Hunton & Williams Center for Information 
Policy Leadership. 

Professor Cate. 


STATEMENT OF FRED H. CATE 
PROFESSOR OF LAW 
INDIANA UNIVERSITY SCHOOL OF LAW 

Dr. Cate. Thank you very much, Mr. Chairman, distinguished 
Members of the Committee. I appreciate the opportunity to be here. 

I should offer the same qualification as my distinguished col- 
league, which is, of course, that my comments do not reflect the 
views of Indiana University. 

One would like to think that the University would have the good 
sense that they would. 

[Laughter.] 

But in any event, the University would want me to clarify that 
they do not necessarily. 

There is much to say, but I will do my best to limit myself to 
four points and try to make those as briefly as possible. 

First, there is no doubt but what consumers are concerned about 
financial privacy. It seems like there is no room to even debate that 
question. I think the issue is what do we make of that concern and 
what would this Committee and the Congress do in response to 
that concern? 

I, for one, do not find that concern tremendously surprising. Con- 
sumers should be concerned about financial privacy. They should 
be concerned about privacy in many areas because, frankly, many 
of the most effective and, in some cases, the only effective, steps 
to protect an individual’s privacy are individual actions. They are 
not protections afforded by law. They are not protections afforded 
by policies or technologies, but, rather, the things that an indi- 
vidual himself or herself will do. 

So given that we have just had a deluge, twice now, of more than 
two billion privacy notices, given the attention given this issue in 
the press, it would, I think, be surprising if there weren’t consumer 
concern about this issue, and I think that concern is largely 
healthy. 

Clearly, it is not healthy to the extent that it represents lack of 
knowledge about either banking practices or the law, and I will 
return to this in my conclusion. 

Second, in addition, however, to looking at the presence of con- 
sumer concern, we also have to look at consumer action. And what 
we know is that in response to tens of thousands of financial insti- 
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tutions, mailing billions of privacy notices, the opt-out rates seem 
to be consistently less than 5 percent. Many institutions report opt- 
out rates of 1 percent or less. 

This is true, by the way, not only in financial privacy. This is 
true with the FCRA opt-out provisions. This is true for the DMA’s 
opt-out provisions. This is true for many companies that report 
what their specific industry opt-out rates are. A low response rate 
is very consistent. 

So before encouraging the Congress to adopt new laws or more 
restrictive privacy laws, it seems important to first understand why 
consumers aren’t taking advantage of the rights that they currently 
have under existing law. Before giving new rights, why are the cur- 
rent rights not being used? 

Third, another reason for concern about going forward with more 
restrictive privacy laws on either the State or Federal level is, of 
course, that information serves many valuable, irreplaceable func- 
tions in this economy and in the society. 

This point seems so obvious that I do not want to belabor it here. 
It has been much written about. And probably the most articulate 
spokespeople coming from the Federal Reserve Board. Let me just 
offer one quote from Governor Gramlich: “Information about indi- 
vidual’s needs and preferences is the cornerstone of any system 
that allocates goods and services within an economy.” The more 
such information is available, “the more accurately and efficiently 
will the economy meet those needs and preferences.” 

This seems particularly true in the case of affiliate-sharing. The 
number of affiliates which have been referred to certainly could 
give one pause. But I think it is worth noting that research shows 
that companies do not create affiliates just for the opportunity to 
create affiliates, that affiliate relationships are often driven by tax 
or liability issues, by regulatory requirements, by any number of 
State licensing issues. 

The question then of whether affiliate-sharing of information 
should be permitted or restricted would necessarily, if made a legal 
issue, require that companies describe in detail their affiliate rela- 
tionships to their customers. 

It is difficult to imagine how even the best-intentioned privacy 
notice, if required to describe those relationships in detail, could 
ever be comprehensible to anybody, to anybody here or to anyone 
likely to receive those notices. 

Interfering with those benefits of information flows, of course, 
impose costs on consumers. There are also additional costs, how- 
ever, imposed by privacy laws, and I think this Committee is well 
aware of and I think that this is very relevant to the question of 
whether more restrictive privacy laws seem appropriate. 

We know that the cost of complying with Gramm-Leach-Bliley 
has been measured in the range of $2 to $5 billion a year for finan- 
cial institutions, cost that are, of course, passed on, either to the 
customers directly or to shareholders, and indirectly to customers. 

These costs, however, are much greater. Experience and research 
in this area are consistent and, without exception, show that costs 
are much greater when a privacy law imposes a greater restriction 
on information-sharing, for example, opt-in. In fact, most of the 
available research on opt-in statutes in practice show that if they 
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require contacting a consumer after the consumer has engaged in 
the transaction, after the consumer has opened the account, after 
the consumer has sought service, an opt-in statute effectively 
works as a ban on information flows that, in practice, the result is 
no consent and no opportunity to share information. 

I want to be clear, however. 

I think that those costs should be measured not only in dollars, 
but also would encourage the Committee and would direct the 
Committee’s attention to the other types of costs that that can im- 
pose. And here research is particularly informative. 

Even a subject like informing consumers about opportunities, 
marketing, which seems to meet with very little support in any 
public forum today, nevertheless, is of obvious importance to many 
consumers and especially those less likely to have, for example, 
financial advisors, less likely to be well-endowed financially. 

We know, for example, that greater information restrictions dis- 
proportionately affect poor and also people located away from 
urban centers. This, of course, is also especially true with opt-in. 

I have mentioned in my written testimony and I will not belabor 
now a case study that economist Michael Staten and I did of just 
one financial institution, MBNA Corporation, and what the cost of 
opt-in would be on MBNA’s customers. Those costs are significant 
and I would encourage the Committee to pay close attention to the 
consistent evidence of how great those costs can be, especially 
since, to use MBNA’s numbers for the period of the case study, 
2000 to 2001, fewer than one quarter of 1 percent of MBNA cus- 
tomers had opted out. So imposing any additional costs, given that 
fewer than one quarter of 1 percent had found the protection nec- 
essary, would seem dubious, at best. 

Remember, and I will quote here Alabama Attorney General Bill 
Pryor, it is customers and individuals who ultimately “pay the 
price of either higher prices for what they buy or in terms of a re- 
stricted set of choices offered them in the marketplace, for restric- 
tive privacy laws.” 

Finally, I think it is important to keep in mind the larger context 
in which this debate is taking place. 

Gramm-Leach-Bliley passed in 1999 and notices were required to 
be mailed, the first set, by July 1, 2001. Only 14 months has 
passed during that time and we have seen significant changes and 
developments that would strike me as very positive in that time. 

While the issue of consumer confusion has already been noted, 
I think it is important here to return to the question of why notice 
is needed to be improved, why the developments of the past 14 
months, in fact, warrant approval rather than disapproval from 
this Committee. 

Remember the law itself is very complex. If you have ever tried 
to explain it to anyone, you appreciate how complex the law is. The 
terms used, for example, in the ABA model notice that was pre- 
viously read, largely came from the law and from the implementing 
regulations. 

If you want simple requirements to be explained to consumers, 
you will have to enact simple requirements. And in this area, that 
is very, very difficult. So, for example, distinctions between con- 
sumers and customers, which are so important to the law, do not 
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make much sense to ordinary people. It is difficult to understand 
these. 

It should also be noted that clarity seems to be very much in the 
eye of the beholder. 

I had the experience on June 18, 2001, of appearing before the 
California General Assembly Committee on Banking and Finance, 
where the Committee Chairman lauded American Express for the 
clarity of its notice. In fact, he passed out copies to everyone in the 
audience, so, as he said, industry representatives could live up to 
the model set by American Express. 

Three weeks later, on July 9, 2001, USA Today cited American 
Express’ notice as one of the least comprehensible it had read. 

There is much going on. There are market responses. We are see- 
ing banks and other financial institutions offering privacy-related 
cards and other privacy-related services. We are seeing the quality 
of notices being improved, the Federal Trade Commission working 
to improve that quality. We are seeing new types of privacy protec- 
tions, many from the States, such as do-not-call lists. 

In the absence of evidence of harms not being addressed by the 
current law, not just Gramm-Leach-Bliley, but the full range of 
Federal and State financial privacy laws, it seems inappropriate, or 
at least premature, to move forward with more restrictive privacy 
requirements. 

Thank you. 

Chairman Sarbanes. Thank you very much, sir. 

Now, we will hear from John Dugan, appearing today, I think it 
is fair to say, actually, representing the Financial Services Coordi- 
nating Council. I do not know that we will need a disclaimer here. 

Mr. Dugan. No disclaimer. 

Chairman Sarbanes. The Council includes the American Bank- 
ers Association, the American Council of Life Insurers, the Amer- 
ican Insurance Association, and the Securities Industry Associa- 
tion. Mr. Dugan is a partner at Covington & Burling, here in town, 
and I must note, previously worked here on the Banking Com- 
mittee staff as Minority General Counsel when Senator Garn was 
a Member of the Committee. 

We are very pleased to hear from you, Mr. Dugan. 

STATEMENT OF JOHN C. DUGAN 
PARTNER, COVINGTON & BURLING 
ON BEHALF OF THE 

FINANCIAL SERVICES COORDINATING COUNCIL 

Mr. Dugan. Thank you, Mr. Chairman, and Members of this 
Committee. It is a pleasure to be back here today. 

As you said, I represent the Financial Services Coordinating 
Council, and this organization represents thousands of large and 
small banks, insurance companies, and securities firms that, taken 
together, provide financial services to virtually every household in 
America. I have represented the FSCC on financial privacy issues 
since the organization was formed in late 1999. 

Every commercial privacy law strikes a balance between pro- 
tecting the privacy interests of consumers and preserving the clear 
consumer benefits that arise from the free flow of information in 
the economy. While consumers expect limits on the disclosure of 
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their information, they also expect companies to provide them with 
benefits that can only be obtained through information-sharing. For 
example, a long-time depositor in a bank wants and expects to re- 
ceive a discount on a mortgage loan offered by a related mortgage 
company affiliate, and such “relationship discounts” can only be 
provided through information-sharing. Privacy laws try to balance 
these competing consumer expectations. 

In terms of financial privacy, we believe that Congress struck the 
right balance in the Gramm-Leach-Bliley Act. Financial institution 
consumers now must be provided notice of practices regarding in- 
formation collection and disclosure, opt-out choice regarding shar- 
ing of information with nonaffiliated third parties, security in the 
form of mandatory policies, procedures, and controls, and enforce- 
ment of privacy protections via the financial regulatory agencies. 

By any measure compared to 3 years ago, consumers have much 
more meaningful information, choice, and security regarding their 
financial information. 

At the same time, the GLB Act appropriately allows financial in- 
stitutions to share information for a variety of plainly legitimate 
purposes without consumer consent, for example, to carry out 
transactions requested by the consumer, to deter and detect fraud, 
to respond to regulators and judicial process, et cetera. 

The FSCC also continues to support Congress’ decision to treat 
information-sharing by affiliates in the same manner as sharing 
within a single institution. In both cases, the opt-out requirement 
does not apply, as has already been stated. We think this decision 
reflected the fact that consumers are unlikely to distinguish be- 
tween, for example, a community bank and its affiliated mortgage 
lending company. Instead, consumers expect that both affiliates are 
part of the same community banking organization where informa- 
tion is shared. 

Finally, we also continue to believe that Congress appropriately 
chose to provide consumers with the right to opt-out of information- 
sharing with third-party commercial companies. 

But Congress also rightly chose to reject an opt-in approach, 
which deprives consumers of benefits from information-sharing, as 
Professor Cate just described. Consumers rarely exercise opt-in 
consent of any kind, even those consumers who would want to re- 
ceive the benefits of information-sharing if they knew about them. 
In essence, an opt-in creates a default rule that stops the free flow 
of information, and that makes financial services more expensive 
and inefficient. In contrast, an opt-out gives privacy-sensitive con- 
sumers just as much choice as opt-in, but without the default rule 
that denies consumer benefits. 

In terms of implementation, the Gramm-Leach-Bliley privacy 
provisions were enacted in 1999 and implementing regulations be- 
came effective just over a year ago. While tremendous progress has 
been made, this is still very much a work in progress. 

Nevertheless, the financial institutions and their regulators have 
received a minuscule number of customer complaints about the pri- 
vacy provisions. For example, in response to a recent Freedom of 
Information Act request, the Federal Reserve reported that it had 
received only 25 privacy-related complaints out of the 4,503 com- 
plaints in total that it received in 2001, or .0056 percent of the 
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total, with similarly low numbers reported by all the other Federal 
bank regulators. 

Having said that, the FSCC recognizes that privacy notices con- 
stitute one area in which improvements can and should be made. 
This is by no means as easy as it sounds, however, because the no- 
tice requirements of the Gramm-Leach-Bliley Act are, in fact, quite 
detailed, as we just heard. The financial institution regulators tried 
very hard when they issued their regulations to simplify, including 
through the use of sample clauses, and they told institutions that 
a notice complying with the GLB Act could fit on a six-page, tri- 
fold brochure. In their first notices, financial institutions generally 
took this approach. But a six-page notice is not short, and terms 
from the sample clauses such as “nonaffiliated third-party” and the 
other terms that were quoted earlier this morning are the types of 
legalese that have been sharply criticized. 

To address these concerns, many institutions have tried to sim- 
plify the language used in their next round of notices. In addition, 
both financial institutions and their regulators are exploring a sim- 
plified, short-form version of the notice that would supplement, but 
not replace, the longer legal notice required by the Gramm-Leach- 
Bliley Act. The basic idea is to use simplified terms, be much less 
legalistic than the longer notice, keep the length to one page, and 
use common language to make it easier for consumers to compare 
policies. 

The FSCC is leading one of the short-form notice projects in 
which we have hired a well-known language expert, and we have 
nearly completed the initial drafting phase. 

Let me now turn to the misunderstanding about the amount of 
State legislative action that has occurred since passage of Gramm- 
Leach-Bliley. 

During this period, no State legislature has adopted a compre- 
hensive financial privacy statute that has exceeded the obligations 
of the Gramm-Leach-Bliley Act. Nearly 40 States did consider such 
privacy legislation in 2000, the year after the law passed, but no 
such statute was enacted. About half that number revisited the 
issue in 2001, again without final action. And this year, only Cali- 
fornia has come close to enacting a new law. But for the third time 
in 3 years, the legislature has chosen not to do so. 

We recognize the initiative in North Dakota which we will hear 
about and the action by regulators, but not legislatures, in New 
Mexico and Vermont. But taken together, these few actions simply 
do not constitute a groundswell of State action. 

The FSCC believes the States’ diminished focus is due largely to 
an increased understanding that the Gramm-Leach-Bliley protec- 
tions are real and need some time to work, and that it is more com- 
plicated than it first seems to impose new restrictions without 
causing major unintended consequences. 

In terms of new Federal privacy legislation, we believe that any 
action that Congress considers should be targeted to specific harms 
rather than take the form of sweeping data protection restrictions. 
For example, if the harm to consumers that people care about most 
is identify theft or excessive telemarketing, then legislation should 
remedy these problems specifically and not impose broad restric- 
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tions on information-sharing. The FSCC stands ready to work with 
public policymakers to address specific consumer harms. 

Let me emphasize, however, that the FSCC could not support 
any new financial privacy legislation that did not include Federal 
preemption to ensure a uniform national privacy standard. The 
FSCC also supports extending the FCRA provision that preempts 
State restrictions on affiliate-sharing, which would otherwise sun- 
set by the end of 2003. 

Thank you. I would be happy to answer any questions. 

Chairman Sarbanes. Thank you, Mr. Dugan, for your testimony. 
We are pleased to have you back again with the Committee. 

Mr. Dugan. Thank you again, Senator. 

Chairman Sarbanes. We are now going to hear from Attorney 
General Mike Hatch, who has been the Attorney General of the 
State of Minnesota since 1998. He previously served in the 1980’s 
as Minnesota’s Commissioner of Commerce, the primary regulator, 
as I understand it, of banks, insurance companies, securities, and 
real estate firms doing business in Minnesota. 

Attorney General Hatch, we are pleased to have you with us. 

STATEMENT OF MIKE HATCH 
ATTORNEY GENERAL, THE STATE OF MINNESOTA 

Mr. Hatch. Thank you, Mr. Chairman. And I want to thank all 
of you for your leadership on this issue. 

I had the opportunity a couple of years ago to watch a hearing 
in the Minnesota legislature on the issue of privacy. The Wall 
Street Journal had covered it and pointed out that there were 58 
lobbyists retained by a variety of different members of the financial 
industry, the telephone industry, HMO’s, insurers, you name it. 
And they all piled in, and the pressure was immense. Both parties 
collapsed. They just caved in. 

I know that the pressure on you people is immense. I applaud 
you for your leadership and for your efforts here. It takes guts and 
courage and it is very refreshing to see that type of leadership in 
this country. 

So, I thank you very much. 

The question was raised about, gee, we have gotten all these no- 
tices. Why don’t people understand them? 

I just want to point out, the first letter I received 

Chairman Sarbanes. I think if he could bring it right up here 
next to the table. 

Senator Shelby. Bring it up inside. 

Chairman Sarbanes. Yes. 

Senator Shelby. That would help. 

Chairman Sarbanes. Come right on around. 

Senator Shelby. Up near the Senator. 

Chairman Sarbanes. Don’t block — we want Senator Stabenow to 
see this easel, too. 

Yes, that is it. 

Senator Shelby. Okay. 

Chairman Sarbanes. Now if we put the things on. Good. 

Senator Shelby. That is better. 

Chairman Sarbanes. Are you okay, Debbie, with that? 

Senator Stabenow. I can see it better than you. 
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[Laughter.] 

Chairman Sarbanes. All right. The panel’s okay. So go ahead. 

Mr. Hatch. Mr. Chairman, Members of the Committee, the point 
was raised by the financial industry here that, we have all these 
notices out there. People do need to understand what is going on. 

So what is the beef? 

All of these notices were sent to me from a former Congressman, 
Alec Olson, from the 1970’s. He is now, I am guessing, 75 to 80 
years of age. He says, “What is all this garbage? I don’t understand 
it.” Now if a retired Congressman doesn’t understand it, how do we 
expect that two-thirds of our senior citizens who are the subjects 
of the rip-off that occurs because of this financial fraud, which is 
targeted to seniors, how do we expect them to be able to discern 
these issues? 

We heard the Attorney General from Vermont read that disclo- 
sure statement, and in the end, what they did not say is, listen, 
regardless of what you do, we are going to share this with our af- 
filiated institutions and we are going to use it in other ways as 
well. Even if you did read it and understand it, you would have to 
be a Wall Street lawyer to figure that out. 

Here is a letter that I got a kick out of it because it was after 
Gramm-Leach-Bliley. This lady had gotten a notice from General 
Motors Corporation and she says: “What is this business about an 
opt-out? Why do I have to notify them? And I have been in the fi- 
nancial industries for almost 20 years. I find this unacceptable and 
a bit unbelievable.” 

Now what is significant, if you notice her name, she is from a 
leading investment bank in this country and she is in charge of 
their education. Look at her business card at the bottom. She did 
not know. And she thought it was unbelievable. Now if she doesn’t 
know, and she is in charge of educating the members of that in- 
vestment bank, how does that senior citizen know? 

Now if we go to the next exhibit, we will try to figure out, how 
do they know? 

This is actually before GLB. But let me assure you, the com- 
plaints in our office, we run a consumer division, the complaint 
load is higher than it was in the past. I do not attribute it to being 
higher because of GLB. I attribute it just that there is more in- 
creased abuse that goes on in a tighter — when employment gets a 
little rough, the economy gets cool, fraud tends to go up. It’s the 
same thing. It hasn’t changed. 

Two-thirds, again, still being targeted on seniors. 

This one is a Mr. Clinton — I do not know how to pronounce the 
last name — Sjosten, I guess. It is a Legal Aid lawyer writing this 
letter. He says that Mr. Clinton is 87 years old. He had a career 
as a janitor of a church. And he retired. He has been in a nursing 
home for 10 years. Telemarketers got that information from Mont- 
gomery Wards. They charged up $2,400 on him, an auto club mem- 
bership. But he doesn’t own a car. He hasn’t had one for 10 years. 
A homeowner’s warranty plan. But he doesn’t own a home. He is 
in a nursing home. A dental plan. But he has no teeth. 

[Laughter.] 

Charged $2,400. And you ask, how can this be? How can we be 
so inhumane to our senior citizens that we allow this type of ma- 
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nipulation to go on? That is all he asks. I represented banks in pri- 
vate practice. I was a banking commissioner. Rural banks do not 
trade this information. They want it kept private. In our State, we 
have laws. I have represented companies. We have very strong 
common law, and I think it exists throughout the country, that 
says, listen, when you come into a bank with your business plan, 
if I am a business and I come in there with a business plan to get 
a loan, that bank cannot share it. 

Before Glass-Steagall in the 1920’s, they would go out and dis- 
tribute it. They would give it to their investment arm and then 
they would go steal the business, the idea, the trade secret, if you 
will, from the client. Well, that was shut down. The law is pretty 
clear. And banks know, you keep that confidential. 

But you know what? Under this GLB, you hear those notices 
that were read by the Attorney General? It said, your loan data is 
not public. With whom? What about the checks I write out as a 
business? What about the checks I receive? That is my customer 
list. That is a property right, for crying out loud. It is not only a 
liberty right, but also a property right. 

Somebody says, well, jeez, they won’t respond in an opt-in. Yes, 
they will. Pay them. 

The financial banks — the people who are selling this stuff, our 
data, we are on about 300 lists each. This data is being traded 
around all over the place. And they sell it. They make money on 
it. Over 300 bucks a year, on average. 

Why don’t they pay us a little royalty. You know how to get me 
to go sell my name? Give me some frequent flier miles, maybe I 
will do it. I do not know. Maybe some people will. But pay them. 
Don’t hog it all for yourself. 

If it is a property right, why do we allow them to get away with 
it on an opt-out? Pay, and people will intelligently make a decision 
as to whether this property right will be given up. 

Do you know what will happen? Information will still flow. There 
will be companies that will sprout up that will engage in this. That 
is fine. That is called free enterprise. Why are we against that? 

Property rights. What about the personal liberty right? I go out 
and I give speeches and I ask them, please raise your hand if you 
have ever had a yeast infection, a hemorrhoid problem, filed for 
bankruptcy, bounced a check, had a mental illness, gone in for 
chemical dependency. I go through the whole routine. Please raise 
your hand. And there is a gasp. 

If you look at HIPPA, HIPPA is no better than GLB in terms of 
the opt-outs. Oh, we are going to have medical privacy. But then 
there is a little exemption that says, for telemarketing purposes, 
you are allowed to use it. Well, the exemption swallows the rule. 

All of this information is being traded. What about our right to 
define who we are? Thank God we did not have that type of infor- 
mation going when I was in my 20’s. I wouldn’t be sitting here at 
this table. 

[Laughter.] 

When you are in your 20’s, you experiment with ideas, right? 
And thoughts. Your telephone company can sell the telephone num- 
bers you have. 

What about search warrants? 



17 


I, as a public official, cannot go pull your bank data without a 
search warrant without some probable cause because you have a 
reasonable expectation of privacy, right? 

Now, with these laws basically saying, you do not have a reason- 
able expectation of privacy, guaranteed there will be a day where 
a judge will say, because everybody else in the world can get this 
data, why can’t the Government, too, without the search warrant? 

There is a very strong, compelling issue that is afoot here and 
it is not the bank’s data. It is my data. That is the way it is in 
Europe. That is the way it is in other cultures. Most people think 
it is that way here. It is a reasonable expectation of why not — in 
most contracts we have in America, there is an offer and an accept- 
ance. Where is the acceptance on an opt-out, to give up my private 
information? Why not just pay me for it? You would be amazed 
how many people will respond to a little money. That is okay. 

Now these are very important rights. It is a personal right. It is 
a property right. I applaud you for your courage in standing up on 
this issue and I wish you the best in getting a bill through. 

Thank you. 

Chairman Sarbanes. Thank you, Attorney General Hatch. 

We will now hear from Representative Jim Kasper, a Member of 
the North Dakota House of Representatives, who is very deeply in- 
volved in the referendum held earlier this year in North Dakota. 

As I understand it, I am sure that Representative Kasper will de- 
velop this, a statute had been passed that reduced the existing pri- 
vacy rights under North Dakota law. It was taken to referendum 
by the citizens of North Dakota and overwhelmingly, the referen- 
dum was overwhelmingly passed, thereby negating the statute. 

Representative Kasper, we would be happy to hear from you. 

STATEMENT OF JAMES M. KASPER 
MEMBER, HOUSE OF REPRESENTATIVES 
THE STATE OF NORTH DAKOTA 

Mr. Kasper. Thank you, Chairman Sarbanes, and Members of 
the Committee. 

I want to comment before I start my testimony how much I agree 
with the three distinguished Senators and your opening remarks. 
You are right on. And the people of the United States are right on 
with you, as we found in North Dakota. 

I am a first-term representative in North Dakota. We have a 
part-time legislature in our State. We meet for 3 months every 
other year and then we go back to the real world of business. 

My background has been the insurance and financial securities 
business for my whole career. I even started that career in college 
as a senior to help support my newly gotten wife, who has been 
with me the 30-some years that we have been out of college. 

Little did I know when I came to the legislature of North Dakota 
that the bulk of my time in that freshman term would be spent 
battling the banks on the issue of privacy. But that is exactly what 
happened. 

North Dakota had a privacy law that was developed and enacted 
in 1985 at the bequest of the banks, and it allowed no affiliate and 
no nonaffiliate sharing of information. So private information was 
totally private. In 1997, our law was amended quietly at the re- 
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quest of the banks to allow affiliate-sharing, probably in anticipa- 
tion of Gramm-Leach-Bliley. So, we had that item in North Dakota 
law. We also had the bank loopholes, so to speak, in North Dakota 
law where banks marketed and continue to market insurance in 
small towns. 

I have competed with the financial services of the banking indus- 
try my whole career in North Dakota. So, I have an idea of what 
they do, how they compete, and what their strategies are. 

It is my understanding that the banking industry is being led in 
their battle to defeat privacy laws like North Dakota by the organi- 
zation that is represented here today and by, I think, a financial 
roundtable organization, are the groups that — there is a focused 
effort, in my opinion, to stop the privacy laws from changing. And 
that is what happened in North Dakota. 

The banking industry had their bank law introduced into our 
State Senate, Senate bill 2191. That, in essence, repealed North 
Dakota banking law and adopted the Gramm-Leach-Bliley defini- 
tions of privacy. 

I want to share with the Committee and read what their argu- 
ments were, why the North Dakota legislature should pass their 
law and throw out our very protective privacy law. Here is what 
they said: “North Dakota needs to pass Senate bill 2191 to adopt 
Gramm-Leach-Bliley in North Dakota law so that we will be in 
compliance with Gramm-Leach-Bliley.” 

This Committee knows that that is a joke. They knew that that 
was a joke, but that was one of their strategies — confusion. 

“North Dakota will experience job loss if we do not pass Senate 
bill 2191.” Now, you tell me how we are going to lose jobs, but their 
idea was the bank calling centers will pull out of North Dakota if 
you do not pass 2191. “North Dakota will experience negative eco- 
nomic development if we do not pass Senate bill 2191.” Businesses 
will not come to North Dakota because it will be too onerous to 
comply with old North Dakota privacy law. 

There is no cost at all to comply with North Dakota privacy law. 
The businesses go on doing what they do and their information is 
protected because one thing in North Dakota law, not only do we 
protect consumer privacy, but we also protect all privacy. 

So business transactions, ag transactions, nonprofit transactions 
are all private. 

“We do not want North Dakota to be the only State in the Na- 
tion, an island, which has different privacy laws from other States.” 
Obviously, as the Attorney General from Vermont stated, there are 
other States that have privacy laws like North Dakota. And as the 
legislators of the various States begin to realize what GLB privacy 
is all about, we are going to see more State legislators introduce 
laws. I know of two States right now that are contemplating, legis- 
lators who are contemplating initiating privacy protection laws like 
North Dakota’s in their legislature in their next session. 

The most funny of all, “If we do not pass Senate bill 2191, the 
people of North Dakota may not be able to use their ATM’s, credit 
cards, and their checking accounts.” 

In a recent trip to California, at the invitation of Senator Jackie 
Speier to work with the California assembly, most of the goal was 
to try to convince some Republicans to support Senator Speier’s bill 
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because that has become a partisan issue, which it should not be. 
These were their same arguments. 

So this is a national strategy that I submit is being utilized and 
orchestrated by the banking industry to stop privacy laws from 
being passed and to try to repeal a North Dakota law. 

Anyway, these arguments convinced my colleagues in both the 
House and the Senate to overwhelmingly, with between a 70 and 
80 percent vote, pass their bill. There were just a handful of us 
who attempted to stop that bill. Two of us were freshmen legisla- 
tors, and you know how much credibility freshmen have any place. 
So the bill was passed. The law was signed by our governor, who 
was a former banker, and it was enacted into North Dakota law. 

Fortunately, that is not the end of the story because a group of 
citizens called Protect Our Privacy formed. Volunteers. No money. 
No budget. Just a goal to repeal Senate bill 2191 in North Dakota. 
And in the course of a few short weeks, gathered the number of sig- 
natures necessary, a little over 17,000, to repeal the law, or to refer 
it and put it to a vote to the people. 

When you consider that we only have 640,000 people, 17,000 is 
a big number. It is equivalent to almost 900,000 signatures in the 
State of California. 

Their initiative is going forward, as this Committee heard. And 
by the way, I predict that when and if their initiative is on the bal- 
lot, it will be on the ballot, unless the California legislature acts 
responsibly next year, that initiative is going to overwhelmingly 
succeed. 

The more money the big banks spend, the more the people get 
angry, and that is exactly what happened in North Dakota. The 
banks were well financed. Their first campaign statement showed 
they had $129,000 raised. We had $2,800. By the time the whole 
battle was done, their media blitz throughout the State of North 
Dakota was enormous. They attempted to persuade the people of 
our State that all the arguments which I shared with you earlier 
were needed to keep the bill. 

Our statement and position was very simple. Whose information 
is it, anyway? Do you own it? Should you have the right to control 
it? Or should the banks own it once they get it and be able to share 
it and sell it without your consent and knowledge? That was the 
focus. That is all we could talk about because that is the truth and 
the bottom line of this privacy battle — whose information should it 
be, as Attorney General Hatch has indicated? 

When the people understood, the vote was 73 percent to throw 
out the Senate bill 2191 and go back to North Dakota law. I submit 
that as more and more people in the United States become aware 
of what this is all about, you are going to see more and more State 
legislators move forward to do the same thing in their State. 

Unfortunately, that is time-consuming and costly and you have 
the might of the big banks, who will be there to try to thwart the 
issue every time it comes up in every State legislature. We had 
full-time lobbyists up there from the banking industry, three or 
four of them. The credit union lobbyists were involved. The big 
banks came in. The local bankers came in to talk to their legisla- 
tors and the legislators were, frankly, somewhat misled and con- 
fused on this issue because they talk real good. But the people 
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know better and the people of our country want their private infor- 
mation protected. 

If we do not do this, if we do not move forward with protection, 
because the lifeblood of this battle for financial services is the free- 
flowing of consumer confidential financial information, Gramm- 
Leach-Bliley does not foster competition. It eliminates competition. 

As a small business person in the financial services industry, I 
have a very difficult time competing with the Wells Fargos of the 
area. When a person comes in to get a loan and provides their tax 
return, their financial statement, their history, and the loan officer 
just goes to the insurance agent or the securities agent and says, 
here, here’s some stuff. Look it over. Go call this guy. 

That happened on one occasion with my best client in Fargo, who 
I have served with life insurance for 20-some years. An insurance 
agent from Wells Fargo called on them and had all of their finan- 
cial information and, in fact, showed them a sophisticated insur- 
ance proposal where they had to have gathered their incomes, their 
date of birth, et cetera. My client knew nothing of it, had never met 
the agent before, and this guy comes in and shows him the infor- 
mation. He called me. We looked at it. We threw it in the garbage. 
But the point is, why should that insurance agent have gotten that 
information in the first place? He shouldn’t have. 

My mother in Beulah, my hometown, western North Dakota, just 
had a CD come due. The bank teller recommended that she put it 
into an annuity. The bank teller knows nothing about my mother’s 
financial information and her background and her financial needs. 

My mother, thank goodness, said, I call my son on these things. 

[Laughter.] 

She did. And we are looking at what she should do with her CD. 

The point is, people are handling confidential information all 
over the place. It has run amuk. And I hope that this Committee 
will have the courage to stand up to the tremendous lobbying 
effort you are going to see and reverse the things in Gramm-Leach- 
Bliley that need to be reversed, such as no sharing of information 
to nonaffiliates, period. A no-opt. 

An opt-in sharing of information for affiliates. And the joint mar- 
keting agreement loophole, that needs to be fixed. I understand 
why it was introduced, to allow the small banks and credit unions 
to compete with the Wells Fargos of the world. That definitely 
needs to be fixed. 

Mr. Chairman, and Members of the Committee, I see my time is 
up. I have a lot more I could say about this issue. But I thank you 
very much for the opportunity to be here. 

Chairman Sarbanes. We thank you very much, Representative 
Kasper. It is a very instructive story that you tell and we really 
appreciate it. 

Before she leaves, I do want to add just one dissent to what you 
said. You said that the freshmen members of the legislature do not 
have much influence. 

[Laughter.] 

I agree with that statement generally. But I do want to under- 
score what a tremendous exception to that statement our freshman 
Member, Senator Stabenow, has been here, both in the Committee 
and in the Senate. 
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Senator Stabenow. Thank you. 

Chairman Sarbanes. We will now turn to Phyllis Schlafly. We 
are very pleased that you are here with us today. As we all know, 
Phyllis Schlafly is the President of the Eagle Forum. She has been 
an outspoken advocate on a number of very important issues and 
has testified frequently here in Congress. She is the author/editor 
of numerous books and publications. Ms. Schlafly, we are delighted 
to have you with us today. 

STATEMENT OF PHYLLIS SCHLAFLY 
PRESIDENT, EAGLE FORUM 

Ms. Schlafly. Thank you, Mr. Chairman, and Senator Shelby. 

Totalitarian governments keep their subjects under constant sur- 
veillance by requiring that everyone carry “papers” that must be 
presented to any Government functionary on demand. This is an 
internal passport that everyone had to show to authorities for per- 
mission to travel within the country, to move to another city, or to 
apply for a new job. 

Having to show papers to Government functionaries was bad 
enough when papers meant merely what was on a piece of paper. 
In the computer era, personal information stored in databases can 
be used to determine your right to board a plane, drive a car, get 
a job, enter a hospital emergency room, start school, open a bank 
account, buy a gun, or access Government benefits such as Social 
Security, Medicare, or Medicaid. 

While each classification currently has its own set of rules, con- 
necting all these dots would amount to the personal surveillance 
and monitoring that are the indicia of a police state. The Wash- 
ington buzz words, “information-sharing,” are often put forth as the 
solution to 21st Century problems, but this has significant privacy 
implications that I am very happy you are addressing. 

The global economy is obsessed with gathering information. The 
lifestyle or profile of each consumer is a valuable commercial com- 
modity. The checks you write and receive, the invoices you pay, and 
the investments you make reveal as much about you as a personal 
diary. Where I shop, how often I travel, when I visit my doctor, 
how I save for retirement are all actions known to financial institu- 
tions, which connect the dots of my life and create a valuable per- 
sonal profile. This compilation of personal information is bad 
enough, but the sharing of it without my consent is even worse. 

True privacy protections encompass the principles of notice, ac- 
cess, correction, consent, preemption, and limiting data collection to 
the minimum necessary. 

The bill commonly known as Gramm-Leach-Bliley had the finan- 
cial goal of streamlining financial services, thereby increasing affili- 
ation and cross-company marketing. But it was conflicted with the 
goal of true financial privacy. Greater affiliation meant greater in- 
formation-sharing. Interjecting the right of individuals to control 
their personal information into that streamlining equation was per- 
ceived as a threat to this big business scheme. 

Gramm-Leach-Bliley does not provide consumers with any oppor- 
tunity to decide for themselves about the transfer of their private 
information among affiliates. Particularly troubling is the large 
number of companies marked as affiliates. For example, the Bank 
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of America has nearly 1,500 corporate affiliates, and Citigroup has 
over 2,700. There is no opportunity to stop this free flow of per- 
sonal information. 

Gramm-Leach-Bliley did include a privacy notice provision. Pri- 
vacy notices should be simple documents outlining what kinds of 
information are collected and how the business plans to use that 
information. However, the notices sent to consumers as a result of 
Gramm-Leach-Bliley turned out to be too complicated for the public 
to cope with and they were always written in very fine print. 

Gramm-Leach-Bliley provided the right to opt-out of information- 
sharing but only to third parties. Figuring out how to prevent the 
sale of your personal financial diary, and to whom you were actu- 
ally denying it, was made very difficult. Real opt-out consent de- 
pends on being able to understand what you are saying no to. 

In 1998, the Clinton Administration proposed a Federal regula- 
tion called Know Your Customer, which would have turned your 
friendly local banker into a snoop reporting to the Federal database 
called FinCEN any deviation from what the bank decided is your 
deposits/withdrawal profile. The American people and the Eagle 
Forum was a part of this effort, responded with 300,000 angry e- 
mail criticisms and the regulation was withdrawn. The department 
subsequently said they would no longer receive e-mail criticisms. 
However, the Bank Secrecy Act still requires banks to share some 
personal information with the Government through suspicious ac- 
tivity reports. 

The Bush Administration’s proposed regulations to implement 
the USA PATRIOT Act’s Anti -Money Laundering provisions are 
even more intrusion than Know Your Customer. The Wall Street 
Journal reported that the Treasury Department entered into an 
agreement with the Social Security Administration to access a 
database to verify the authenticity of Social Security numbers pro- 
vided by customers at account opening. 

Congress promised us that the Social Security number would 
never be used for anything else when it was created, and certainly 
not for identification purposes. Giving financial institutions access 
to Social Security Administration’s database contemplates using 
the number as a national ID number, which is a step in the wrong 
direction. 

I remember after President Nixon opened up China, The New 
York Times printed a large picture of a warehouse of what were 
called dangens. This was a manila folder containing all the per- 
sonal information on every person in China. It started in school. It 
followed them all through life, with all of their job information. 

It is the computer that makes it possible to create a dangen on 
every American citizen, and that is not America. 

In conclusion, neither Government nor private business should 
act as if they can own, share, display, or traffic our personal infor- 
mation. It is a property right issue. Our personal financial data 
should be protected by a firewall and accessible only to those to 
whom the individual gives the authority. 

Thank you very much, Mr. Chairman. 

Chairman Sarbanes. Thank you very much, Ms. Schlafly. We 
are very pleased to have you here today. 
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Our concluding panelist is Ed Mierzwinski, who is the Consumer 
Program Director of the U.S. Public Interest Research Group. He 
comes today testifying on behalf of a number of consumer groups, 
both the broader groups — Consumer Action, Consumer Federation, 
Consumer Union, and then a number of groups that are more spe- 
cifically focused on the privacy issue — the Electronic Privacy Infor- 
mation Center, Identity Theft Resource Center, Privacy Rights 
Clearinghouse, and Private Citizen. 

We are very pleased to have you here, sir. 

STATEMENT OF EDMUND MIERZWINSKI 
CONSUMER PROGRAM DIRECTOR 
U.S. PUBLIC INTEREST RESEARCH GROUP 
ON BEH ALF OF: 

CONSUMER ACTION, CONSUMER FEDERATION OF AMERICA 
CONSUMER TASK FORCE ON AUTOMOTIVE ISSUES 
CONSUMERS UNION, ELECTRONIC PRIVACY INFORMATION CENTER 
IDENTITY THEFT RESOURCE CENTER, JUNKBUSTERS, INC. 

PRIVACY RIGHTS CLEARINGHOUSE, PRIVATE CITIZEN, INC., AND 
U.S. PUBLIC INTEREST RESEARCH GROUP 

Mr. Mierzwinski. Thank you, Mr. Chairman and Members of the 
Committee, and in particular, I will recognize Senator Shelby, the 
founding Co-Chair of the bipartisan Congressional Privacy Caucus, 
for his leadership, as well as yours. 

The organizations that I am representing today believe strongly 
that people have a strong right to privacy and that privacy should 
be based on Fair Information Practices. 

Recognizing when it enacted the Gramm-Leach-Bliley Act, that it 
was increasing the potential for privacy invasions, Congress acted 
by establishing Title V to try to protect privacy. The basis of Title 
V we believe is flawed and a lot of that has already been articu- 
lated by some of the other witnesses on the pro-privacy side today. 

The primary basis of the Act is that it is based on notice. Notice 
is not enough. As we have seen from the first 2 years of examples, 
the notices are unclear, the notices are indecipherable, the notices 
are unreadable. 

The Privacy Rights Clearinghouse commissioned a consultant, 
Mark Hochhauser, on readability in 2001. He surveyed 60 of these 
notices and found that they were written essentially for a graduate 
school education. 

The average consumer has not been to graduate school. And I 
concur with General Sorrell that there should be something like a 
nutrition notice at the front of every privacy notice and the check- 
off box for voting out or voting in, whether it is an opt-out or an 
opt-in, and of course, we would prefer an opt-in, as I will discuss 
briefly. That check-out box should be on the front page, not on the 
8th page of a 6-point type document with 27 to 35 word compound 
sentences. 

This year, as part of California PIRG’s efforts to enact the Jackie 
Speier legislation, SB-773, broad consensus legislation supported 
by a number of privacy and consumer organizations in the State 
of California, California PIRG updated the Hochhauser study with 
a study of 10 privacy notices in August. We found that the best of 
the 10 got a C minus. So notice is not enough. 
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In my testimony, I also refer to a very disturbing decision by a 
U.S. District Court Judge in California in an unrelated financial 
privacy case, but a related case to notice provisions. In that deci- 
sion, Judge Zimmerman suggests that a large telephone company 
may have hired consultants that taught it to purposely make its 
privacy notices deceptive. And I cite some of those notices. How to 
convince people not to opt-out. How to convince people that the no- 
tice is a nonevent. 

There were a series of consultants actually hired by the company 
to teach the company how to make its notices unreadable, essen- 
tially. So, I am very concerned about that. And that is, of course, 
one of the reasons that we think notice is not enough. 

The second problem we have with the bill, of course, is that the 
consent provision in the bill only applies to some transactions. It 
applies, not to all third parties. It applies to some third parties. 

Let’s be very clear. It is an opt-out, meaning that you have to af- 
firmatively say no, and it does not apply to all transactions. It only 
applies to some third parties, essentially limited to telemarketers. 

Transactions between and among affiliates and joint marketing 
partners — and there is no exception in the law that prevents large 
institutions, some of them have as many as 2,761 affiliates, as we 
heard earlier, that prevents large institutions from also using out- 
side joint marketing partners as well. 

So the fact is the bill is based on only part of the Fair Informa- 
tion Practices, which we believe the data-collectors should sub- 
scribe to. 

In recognition of the fact that there had been a major privacy 
scandal that had been discovered by the State of Minnesota Attor- 
ney General, Attorney General Hatch, and his office, the U.S. Bank 
case, the Congress included an encryption provision in Title V to 
try to tighten it up a little bit more. The encryption provision was 
included and it stated that telemarketers could not obtain the cred- 
it card numbers of consumers. 

The reason for that was that in the U.S. Bank case, as Attorney 
General Hatch has described, the consumer never gave out their 
credit card number to telemarketers. Their bank gave their credit 
card number to telemarketers. 

As the Attorney General has testified, and as General Sorrell has 
testified as well, the encryption provision has not worked. 

Essentially, Gramm-Leach-Bliley codified the preacquired ac- 
count telemarketing programs that are in place at many of the 
largest banks in the country. These banks are no longer providing 
the credit card number directly to the telemarketer, but the tele- 
marketer has a button that he or she pushes that allows the bank 
to bill the consumer. 

Now one of the witnesses testified that opt-out doesn’t work and 
that opt-in would work even worse. 

In Attorney General Hatch’s recent settlement with Fleet Bank, 
he sent a letter to the consumers who had been victimized — excuse 
me — Fleet Mortgage Company, an affiliate of Fleet Bank. You 
would think that this kind of tawdry telemarketing would be lim- 
ited only to credit card companies, but mortgage companies are 
doing it, too. 
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Attorney General Hatch sent a letter to a number of Minnesota 
consumers asking them whether they wanted to opt-in to his settle- 
ment and get their money back. Well, 50 percent of them re- 
sponded within 2 weeks. 

If you write your opt-in letter well, and if you offer people some- 
thing, opt-in does work. And if you are trying to get people’s money 
back from a rip-off telemarketer who is in league with your bank, 
opt-in does work. 

So, we were very pleased to see that. 

The last point I want to make, of course, is that the best part 
of the Gramm-Leach-Bliley bill is, in fact, its States rights fail-safe, 
the so-called Sarbanes Amendment, that has allowed the States to 
experiment. As the great Justice Louis Brandeis said, “The States 
are the laboratories of democracy.” And although the industry has 
sent hundreds of lobbyists out to Fargo, out to Sacramento, out to 
Bradelborough, I have been to all these places, I have seen all the 
industry lobbyists, Montpelier, excuse me, in Vermont, and all the 
other State capitals where the State PIRG lobbyists work, the in- 
dustry is trying to stop these laws, but these laws are being consid- 
ered and you need to protect the right of the States to continue to 
try to pass stronger privacy laws. 

The costs of privacy have been articulated by industry as tremen- 
dous — billions and billions of notices, the loss of the free flow of 
information. 

I want to point out that there are costs to the lack of privacy as 
well. I would like to enter into the record a study* by independent 
consultant Robert Gellman which refutes a number of the industry- 
funded studies that the industry relies on to make its points. 

The fact is the lack of adherence to Fair Information Practices 
leads to identity theft, which costs hundreds of thousands of con- 
sumers, hundreds of dollars a year in out-of-pocket costs, hundreds 
of hours in trying to clear their good names, extra costs because 
their credit reports are in error and they must pay extra for sub- 
prime credit, the costs of profiling, the cost of being targeted and 
the cost of being put into a box that you are a Tobacco Road con- 
sumer and not a Gucci Gulch consumer on one of these 300 lists, 
and you pay too much for credit and you only get offered mediocre 
offers. These costs are very substantial and these costs affect con- 
sumers in a very negative way. 

In terms of the free flow of information, industry wants to have 
that one both ways. Many banks are limiting their flow of informa- 
tion about a consumer’s good credit in order to prevent that con- 
sumer from having a good credit report and a good credit score. 

They are gaming the credit-scoring system and Comptroller 
Hawke did a speech on this several years ago, and he was very con- 
cerned about it. If a consumer’s credit score is affected by a limit 
on how much information banks share with credit bureaus, that 
consumer doesn’t get any offers. That consumer doesn’t get any 
opportunities. 

So there are some very serious costs to a lack of privacy and 
identify theft is one. Profiling is another. The cost of paying too 
much for credit because banks are gaming the system is another. 


*Held in Committee files. 
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Stalking is even a problem of the costs of lack of privacy, as the 
case of Amy Boyer several years ago. 

I want to conclude briefly by saying that the State PIRG’s and 
the other consumer and privacy groups that are signed on to our 
testimony today very much appreciate that you held this hearing. 
We will continue to work in the States on privacy, financial privacy 
issues, identity theft issues, credit-scoring reform, and other as- 
pects of financial privacy. 

We are disappointed that some industry groups have tried to 
suggest that financial privacy prevents them from helping Director 
Ridge from fighting the terrorists as one of the excuses they make 
to try to roll back the State privacy laws. 

We are disappointed also that they say you won’t be able to use 
your ATM card if we pass strong financial privacy laws. But that 
is life in the big city and we will continue to fight and we appre- 
ciate you fighting with us. 

Thank you very much. 

Chairman Sarbanes. Thank you all very much. This has been a 
very, very helpful panel. 

We have been joined since the panel began by two of our col- 
leagues and I am going to turn to them now to see if they want 
to make an opening statement before we start directing questions 
to the panel. 

Senator Akaka. 

COMMENTS OF SENATOR DANIEL K. AKAKA 

Senator Akaka. Thank you very much, Mr. Chairman. 

It is good to hear witnesses from around the country on the issue 
of financial privacy. 

The sharing of consumers’ financial information needs to be regu- 
lated to reduce frustrations and the likelihood of the misuse of that 
information. Financial institutions are required to provide their 
customers with information regarding their privacy policies on an 
annual basis. Financial institutions are prohibited from sharing 
nonpublic personally identifiable customer information with non- 
affiliated third parties, unless customers are provided with an op- 
portunity to opt-out. 

My constituents in Hawaii have contacted me to express their 
frustrations with the opt-out process. The opt-out process is time- 
consuming for many individuals and in some cases, privacy notices 
are too difficult to understand. I agree that the notices are not 
enough and are difficult to understand. 

Financial privacy is one of many areas in which consumers’ fi- 
nancial literacy needs to be increased. Consumers need to be fully 
aware of their opportunities to exercise financial privacy restric- 
tions and how to do so. 

In addition to education, a complete examination of the current 
laws intended to protect personal financial information is needed to 
ensure that consumers are protected. 

Again, Mr. Chairman, I thank you for conducting this hearing. 

Chairman Sarbanes. Thank you, Senator Akaka. 

Senator Corzine. 
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COMMENTS OF SENATOR JON S. CORZINE 

Senator Corzine. Thank you, Mr. Chairman. 

I can only tell you that there is almost nothing that Senator 
Akaka said that I would disagree with or preparing myself for this, 
knowing the concerns of both the Chairman and Ranking Member 
with regard to this privacy issue, that I want to very much identify 
with, needs to be cleaned up. 

I hear about this all of the time as I visit with constituents 
around the State, a growing, growing concern about invasion of 
one’s personal information, the integration of the marketing as- 
pects of information collected by those that have access to financial 
transactions and so on. 

I am anxious to be a consistent and full participant in this proc- 
ess, and I will emphasize this financial literacy issue. 

I can tell you that I have read a lot of these statements myself. 
I usually go to sleep before I get to the end of them, and know 
where you are supposed to sign off. 

[Laughter.] 

I think it is a ruse on the public with regard to this opting-out 
process. 

So, I look forward to working with you and the other Members 
of the Committee in this area. 

Chairman Sarbanes. Thank you very much, Senator Corzine. 

Both Senator Corzine and Senator Akaka have been very, very 
active on the financial literacy issue and we certainly appreciate 
their concern. 

Professor Cate, I want to ask you a question right off the bat. 

The Financial Services Coordinating Council, who Mr. Dugan is 
representing here, issued a booklet, not too long ago on what they 
call the drawbacks of an opt-in regime. And you were the author 
of that booklet. You recall that, I presume. 

Dr. Cate. I do. I think it was 2 years ago. But, yes, sir. 

Chairman Sarbanes. All right. Now in that, you are arguing 
against the use of opt-in. And I do not want to address the opt-in 
issue for the moment. 

In the argument you make against opt-in, you say: “Lawmakers 
should resist the mounting pressure to expand the use of opt-in, for 
eight compelling reasons.” And the first reason you give is, “Opt- 
in and opt-out both give consumers the exact same level of control 
over how information about them is used. Under either system, it 
is the customer alone who makes the final and binding determina- 
tion about data use.” Now, of course, we have heard some criti- 
cisms about how the opt-out system works. But let me ask you this 
question. Am I to take from this statement that you support requir- 
ing opt-out for the sharing of any financial information? 

Dr. Cate. I think that would not be accurate to say that I sup- 
port opt-out for the sharing of any financial information. 

Chairman Sarbanes. I see. Well, you make the point here that 
opt-out gives — under both, the consumer has exactly the same level 
of control and therefore, you should use it. The alternative to opt- 
out is opt-in. And then you are very critical of opt-in. But you say, 
with opt-out, they can control their information. Is that correct? 

Dr. Cate. Yes, sir, Mr. Chairman. 



28 


Chairman Sarbanes. Should we have opt-out at least as a start- 
ing point or as a minimum for the sharing of financial information? 

Dr. Cate. I would not support that across the board. 

Chairman Sarbanes. Would not? 

Dr. Cate. I would not, sir. 

Chairman Sarbanes. How does that square with your statement 
here? 

Dr. Cate. It squares in this way. If there are areas or uses of 
information that the Congress believes that consumers should have 
control over, I think the opt-out is a better and certainly less ex- 
pensive system for allowing consumers to exercise that control. 

I personally do not believe that under the First Amendment that 
the Congress has the Constitutional authority to extend to con- 
sumers the right to exercise control over all uses of their financial 
information. 

Chairman Sarbanes. You do not think the information belongs 
to the consumer? 

Dr. Cate. I think the question of who it belongs to is more or 
less irrelevant. Under the Constitution, I do not believe Congress 
has the authority to use the power of the courts or to use regu- 
lators to enforce that restraint on the flow of information. 

Chairman Sarbanes. To opt-out as well as to opt-in? 

Dr. Cate. Yes, sir, although I believe the opt-in restraint is more 
severe, and so the First Amendment impediment would be greater. 

Chairman Sarbanes. So if I am a consumer and I give this infor- 
mation to a financial institution, it is then gone. They can do what 
they wish with it? 

Dr. Cate. There are many uses of information, which, if they do 
not present a risk of harm or — many uses of information, most uses 
of information, which I think in this country we presume 

Chairman Sarbanes. Should I make that judgment as the one 
who provided the information? Or do you get the information from 
me for a limited specific purpose, and then once you have it, can 
you then — you being the financial institution — turn around and do 
with it what you will? 

Dr. Cate. Well, Mr. Chairman, I believe it is a matter of law. 

If, in fact, information is obtained under an express condition 
that it will not be used elsewhere I think that restraint should be 
enforced, as the Federal Trade Commission has repeatedly done on- 
line and elsewhere. 

But the Constitution I think limits the power of the Government 
to create an impediment at the start to all uses of financial infor- 
mation or other forms of information, absent some form of substan- 
tial or compelling governmental interest. 

Chairman Sarbanes. That is interesting. What do you think of 
that, Ms. Schlafly? Do you think that we are precluded from plac- 
ing some restraint on the use of that information? 

Ms. Schlafly. I am amazed. 

Chairman Sarbanes. I am stunned. 

Ms. Schlafly. I think the information about what I do and what 
I buy is my property. I do not think it belongs to somebody else. 
If there is anything the United States stands for, it is individual 
property rights. 
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Chairman Sarbanes. Attorney General Hatch, what is your reac- 
tion to that? 

Mr. Hatch. Mr. Chairman, there is $15 to $20 billion of tele- 
marketing fraud in this country each year. As I said, two-thirds of 
it is targeted to senior citizens, who I do think we have some re- 
sponsibility to guard. 

We know that most of this is done through what is called pre- 
acquired accounts, meaning that they have the information from a 
bank or a credit card company. They never have to ask for that in- 
formation from the consumer because they already have it. It has 
already been obtained from the bank. 

That is a compelling State interest right there. 

I just don’t understand. If opt-out and opt-in are the same, why 
would it make any difference as to which information is being pro- 
tected? The point you were making, I do not know if we received 
an answer. 

Chairman Sarbanes. My concern with this statement is, the ar- 
gument that is made against opt-in, which would be an up-front 
permission from the provider of the information, or how it is used, 
the argument that is made is that the consumer can protect him- 
self because he has opt-out. 

Now there is a big difference between the two, but opt-out at 
least means that if the consumer initiates it, he can then say that 
I do not want that information provided. The other way, with opt- 
in, they have to get the permission to begin with. 

Professor Cate uses the argument in this pamphlet that you 
should not have opt-in because you have opt-out. So, I just asked 
him, well, does he then apply opt-out to all aspects of providing in- 
formation? I am told, no, he doesn’t. 

I am now told that, amongst other things, he thinks there is a 
Constitutional impediment to doing this, which I do not agree with. 
But, in any event, even as a policy matter — that is our problem. 

Here we have — it is a disingenuous argument to say, we do not 
need opt-in, because they have opt-out. 

Then you ask, well, would you apply opt-out to all aspects of the 
sharing of financial information? Then it is, no, no, we wouldn’t do 
that. So there is our problem. 

Yes, ma’am. 

Ms. Schlafly. Senator, it seems to me that the difference be- 
tween opt-in and opt-out is the default. Those of us who use com- 
puters know how valuable it is what the computer defaults to when 
you do not make an affirmative choice. 

With opt-in and opt-out, one way the default goes to the bank 
and the other way it comes to you. I think that that is an extraor- 
dinary difference. 

Chairman Sarbanes. I think that is a very important point and 
I said at the outset, I wanted to be careful. Because there is a very 
strong argument that opt-out is not adequate, the one you just 
made. Therefore, you should have to get an affirmative decision. 

But I cannot even get Professor Cate to give me opt-out on the 
sharing of the financial information. That would be a beginning 
here. At least we would begin to parse this thing out and see if we 
could not make some advance. 

I am told, no, no. 
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Well, I have used my time. If my colleagues will indulge me, I 
want to ask Mr. Dugan one more question. 

Mr. Dugan, you cited that these States were trying to pass these 
statutes now under the fact that under Gramm-Leach-Bliley, it is 
specifically stated that the States’ action in this field, that it is not 
preempted, that they can move ahead. And so, people go out and 
they fight these battles out in the State legislatures. As I under- 
stand it, you yourself have been in a number of State legislatures 
on this fight. 

Mr. Dugan. That is correct. 

Chairman Sarbanes. And you make the point that it has not yet 
passed, I think you said, in any State legislature. Is that right? 

Mr. Dugan. That is right. Any comprehensive statute. 

Chairman Sarbanes. I thought you said you drew from that the 
conclusion that this issue was a fading or a passing issue across 
the country, and that this was demonstrated that the public doesn’t 
really care about this issue and that it is going to go away. Is that 
your view? 

Mr. Dugan. I do not think I quite said that. What I was trying 
to get at 

Chairman Sarbanes. You came close to it. But, anyhow. 

Mr. Dugan. What I was trying to get at was this. 

Senator Shelby. You did not say it. You were hoping it. 

[Laughter.] 

Mr. Dugan. I think there is a perception, every State or many 
States in the country, that the trend has been for State legislatures 
to take this up and pass financial privacy legislation that goes be- 
yond Gramm-Leach-Bliley. And all I was trying to say was, in our 
experience, the trend has been in the other direction, with the no- 
table exception of California. 

Chairman Sarbanes. And North Dakota, by direct action of the 
people rather than the legislature. 

Mr. Dugan. That is right, but that was a restoring of a law that 
was previously on the books. My point is that the year after 
Gramm-Leach-Bliley passed, there was a huge set of bills intro- 
duced that went way beyond Gramm-Leach-Bliley in many States 
and debated in many States. None of them passed. Then the second 
year, it was about half that number. And in the third year, it had 
dwindled to a relatively few number of States that were doing it. 

I am not trying to say that there is no interest in it. There obvi- 
ously is. There was intense interest in California. 

I am just saying that if you take and look at the country as a 
whole, and what legislatures have done, I think that there has 
been a repeated set of circumstances in which legislators have de- 
cided that it has not been as easy to pass something like this in 
a way that works that doesn’t create unintended consequences. 

There is also a notion that this new Federal scheme has gone 
into effect, and we should give it a chance to work before we decide 
to layer on inconsistent privacy statutes across the country, which 
the FSCC thinks would be a disaster. 

Chairman Sarbanes. So, you think it is going to go away? 

Mr. Dugan. No, I did not say that. I think we have work to do. 
I think there has been a problem with the notices. They do have 
to get better. 
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Chairman Sarbanes. Where are you going to be if California 
passes an initiative on this issue? The California legislature came 
close this year, as I understand it, very close. But where are you 
going to be if they pass an initiative in California? 

Mr. Dugan. Senator, that is a hypothetical situation. 

Chairman Sarbanes. Do you think an initiative would pass in 
California on the basis of the North Dakota experience? 

Mr. Dugan. I certainly would hope not. 

Chairman Sarbanes. Mr. Kasper, you wanted to add to that? 

Mr. Kasper. Yes, thank you, Mr. Chairman. 

Just an observation. If the other States in the last 2 to 3 years 
were bombarded by the banking lobbyists as North Dakota legisla- 
tors were, when they were confused and misled by the bank argu- 
ments, which I laid out earlier, I can understand why no legislation 
passed in those other States. 

We were different in the fact that we had a law to protect and 
the people decided to refer it. And when the people made connec- 
tion with the truth, the people spoke loudly and clearly. That is 
what I believe is the sentiment all across the United States, as you 
have heard from your colleagues here on the panel and from the 
panel members themselves. 

This is a national strategy, I believe, by the financial services 
industry, led by the banking industry, to confuse the issue and kill 
any type of legislation that is attempted in North Dakota. 

I wish they could come to North Dakota now and talk to some 
of my legislative colleagues who went through this media battle 
and now understand the issue, who are very angry at the way that 
our legislators were misled by the lobbying efforts of the banking 
institutions. 

So you confuse. You mislead. Sometimes you out and out lie. And 
the legislators, with that type of pressure, are going to go along 
with no change because they may think that is what is in the best 
interest of their State, which it is not. 

Chairman Sarbanes. Yes, Attorney General Hatch. 

Mr. Hatch. Mr. Chairman, I would like to point out for Min- 
nesota, that at least the lobbying effort that occurred did not di- 
minish the issue. It is coming back and it will continue to come 
back until something passes. 

But I do want to point out, it wasn’t just the banks. There is a 
lot of different interests involved in this. You have the tele- 
marketing companies. You have, as I mentioned, insurers, HMO’s. 

And frankly, if I took a poll of the banks in Minnesota, you would 
find probably a majority in favor of privacy, but they would be the 
smaller ones. They do not want this information out there. They do 
not want this information being taken by a Citibank or whoever, 
and then stealing their clients. It is not the small ones who are 
doing it. 

So do not give too bad a rap here to the banks of America. A lot 
of the small ones are not interested in this issue at all. They have 
operated very well with an opt-in system because they do not want 
to do it. 

As I mentioned before, a First Amendment right to disseminate, 
does this mean that an employee of mine — I have companies that 
represent companies, an employee can take the customer list? They 
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have a First Amendment right to disseminate it? Does the bank 
have a right to take the bank deposits of my clients and go dissemi- 
nate it to their competitors, their customer list? I do not think so. 

There has been very strong privacy rights by common law in this 
country with regard to property assets. I would hope that GLB did 
not touch that. But you know what? I suppose one could interpret 
it to have done so. What a tragedy? 

Chairman Sarbanes. I am going to yield now to Senator Shelby. 
Did you want to say something? 

Mr. Dugan. Mr. Chairman, I want to respond on the point about 
smaller banks. 

I think the fact is that smaller banks have to share information 
with other financial institutions to offer the range of competitive 
products that diversified financial institutions can provide. And we 
are very strong supporters of that kind of sharing, which is pre- 
cisely what was recognized in Gramm-Leach-Bliley, and which was 
precisely what was recognized even in the California bill that al- 
most passed. 

Chairman Sarbanes. Well, but should the consumer have a say 
in that? Shouldn’t he have a say? 

That’s all. That’s all. I do not think there is any approach that 
would rule it out absolutely. It would just put the decisionmaking 
authority in the person who provides the information. It is personal 
information about them, and they should have, it seems to me, 
should be able to control where it goes and what is done with it. 

But I have strayed over my time. I yield to Senator Shelby. 

Senator Shelby. Thank you, Mr. Chairman. Again, I want to 
thank you for calling this hearing. I also want to commend Senator 
Sarbanes, that in the conference, we were all on it with the House, 
dealing with Gramm-Leach-Bliley, Senator Sarbanes had the fore- 
sight to offer the amendment to protect the States’ ability to deal 
in this area over and above. 

I think that is so important to Senator Sarbanes. I have been in- 
volved with you and I have worked with you and I have worked 
with a lot of people on this. I believe myself that the people ulti- 
mately are going to prevail here. The people are going to win this 
battle, no matter how much money is spent against it because this 
is an important right of the people, as Ms. Schlafly talks about. 

Mr. Kasper, I have a few observations and some questions. 

One, I want to commend you for getting involved and what the 
people of South Dakota did. That was not isolated — of North Da- 
kota, excuse me. Made a mistake. 

Mr. Kasper. That is all right. 

Senator Shelby. But what they did, they understood the issue. 
And if the people understand the issue, they are not going to give 
their privacy away. I believe that. Not many of them, and so forth. 

I do want to also take a few seconds and commend both the At- 
torneys General here. They have been outspoken. Somebody has to 
speak up for the people, and they do this. 

Ms. Schlafly, we have worked together on a number of issues, 
and this privacy issue cuts across all political philosophy, and all 
parties, Democrats, Republicans, and so forth. 

I have worked with Mr. Mierzwinski on a number of occasions. 
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I wish my State of Alabama had a referendum proposition, a 
proposition where you could bypass the legislature, if you had so 
many people. A lot of the States do. And that goes back to the 
Sarbanes Amendment. That is going to be the linchpin to this, I 
believe. 

Now, I want to direct this to Mr. Dugan and Professor Cate. 

I would like to know from you, if you can, to the extent that you 
can provide the details here, what happens to, and I will just use 
myself here, my personal information when I open a checking ac- 
count, get a credit card, and that kind of thing. Just say I were to 
go down the street here and open up a checking and savings ac- 
count. What happens to that information? Let me just run down a 
list of questions. 

What information are they required to obtained from me? How 
does the bank use it? Do they share it? And yes, what do they actu- 
ally share, and who with? Why do they share it? Well, I think we 
know that. Who do they share it with? Affiliates? Third parties? 
Partners in joint marketing agreements? You can create those. 
That is so easy. 

Do they sell it? What effort does the bank or financial institution 
make to ensure its security? Or how can it be secure once it is 
gone? What about affiliates and third parties who may gain access 
to the information? Do they undertake efforts to protect it? Who do 
they protect it from if they are using it? 

All these questions I think need to be answers because people in 
America, across all party lines, are going to be asking. They are be- 
ginning to. And hearings like this help. Can you help me there? 

Mr. Dugan. Well, let me start and there is quite a long list. 

Senator Shelby. Sure. 

Mr. Dugan. If there are other things, we would be happy to fur- 
nish it for the record as well. Professor Cate can jump in as well. 

Senator Shelby. Sure. 

Mr. Dugan. I think in the first instance, when information is col- 
lected from consumers, there are two kinds of information. The 
first is information that is used to make a judgment about making 
a loan to you or underwriting insurance for you. That kind of infor- 
mation is covered by the Fair Credit Reporting Act. 

And because that information can be used to make an important 
decision, it can have a very important effect on the consumer, the 
restrictions on that information under Federal law are stricter than 
they otherwise would be. In fact, that kind of information cannot 
be shared with third parties except under very specific circum- 
stances such as sharing with the credit-reporting agencies. It can 
only be shared with affiliates subject to an opt-out. 

If the information doesn’t relate to that kind of information, then 
the Gramm-Leach-Bliley system kicks in and the information can 
be shared to carry out things that I think everybody would say it 
should be shared for it. It obviously has to be shared with third 
parties when you write a check and the check goes through the 
clearing system to other banks to carry out your transaction. It has 
to be shared with third parties in order to do the very thing you 
have asked for. And nobody quibbles with that, and I am sure you 
do not, either, Senator. But I think you then get to the question 
of, is it shared for marketing purposes? 
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I think institutions use it to — they would want to know, for ex- 
ample, if you were a good customer of the bank and you had a 
large deposit, that would be a customer that they would want to 
make sure was treated well with respect to other kinds of products. 
If you were a long-time customer of the bank, that kind of informa- 
tion, they would want to know that. 

And so, the information would be shared inside the bank in order 
to make decisions to cross-market products, and it would be shared 
with affiliates as necessary if they thought that would be useful to 
provide products and services to you. 

Now, if it gets to third parties, that is where Congress drew the 
line and said, if it goes to a nonaffiliated third-party, then they 
have to give you the right to opt-out of that type of sharing. 

Senator Shelby. But you can create an affiliate fast, can’t you? 
You can create a joint marketing agreement so fast. 

Mr. Dugan. We think affiliates 

Senator Shelby. There are a thousand ways to get around. 

Mr. Dugan. We do not think it is getting around. We think an 
affiliate is all part of the same organization. If you have Citibank 
and Citibank Mortgage Lender, that is really the same thing to the 
consumer. It is all part of one organization. 

The line comes when the information is shared outside the com- 
monly controlled organization, particularly to commercial compa- 
nies or nonfinancial companies. And there, Congress drew the line 
and said, that is a place where the consumer should have some 
control and that is where they established the opt-out. 

We think that is appropriate. 

Senator Shelby. You used the word scheme earlier. A lot of peo- 
ple believe this was a scheme. That is, the opt-out was a scheme 
to hijack people’s personal information, knowing that with all the 
trouble and all the notices and not understanding what was going 
on, that most people wouldn’t know the real issue. The notices were 
meant not to let them know, but to let them throw it away. 

Mr. Dugan. Well 

Senator Shelby. Whereas — wait a minute — whereas, if you go 
with the premise that this is your information that you send that 
belongs to your checking account, your savings account, and all 
this, and it is your property right, as Ms. Schlafly talks about, 
which I believe, it belongs to you, and you have a confidential rela- 
tionship, or should have — most people think they do — with their fi- 
nancial institution. 

Gosh, how can you justifying selling that, using that without the 
permission of the customer, the expressed permission? How can 
you do it? 

I think Attorney General Hatch made a good point. 

Mr. Dugan. From our point of view, I do not believe 

Senator Shelby. And your point of view is the point of view of 
the people you represent, right? 

Mr. Dugan. It is the people who have to serve their customers 
every day, and it is an industry that is built on maintaining the 
trust of their customers. 

Senator Shelby. This is a way to break it down, isn’t it? 

Mr. Dugan. Well, that is where we disagree. 

Senator Shelby. I think that is under attack all over America. 
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Mr. Dugan. With all due respect, Senator, we think the informa- 
tion-sharing that goes on helps consumers, helps provide 

Senator Shelby. How does it help them? I want to hear that. 

Mr. Dugan. I will give you an example. 

Let’s say you had an opt-in scheme and at the beginning of a cus- 
tomer relationship — from our point of view, many consumers do not 
either opt-in or opt-out. They are less sensitive to this concern. 

If you have an opt-in scheme and they do not opt-in to some in- 
formation-sharing, they just do not pay attention to it and they do 
not opt-in, then they do not get to hear about some of the benefits 
that would otherwise apply. For example, if someone has a deposit 
with a bank, it is a common practice for the bank to give a discount 
on a mortgage provided by an affiliated company. Or it may be the 
case that someone has a high-rate credit card loan and the institu- 
tion knows that he or she has a high-rate credit card loan and also 
knows that that customer could qualify for a much lower interest 
rate home equity loan from an affiliated company. 

If an opt-in restriction were in place, as in one of the California 
bills, you have a situation where someone would be punished for 
calling up and trying to tell the customer that he qualified for 
something that was of real benefit to him, because he did not opt- 
in at the beginning of this relationship. 

Senator Shelby. Mr. Kasper. 

Mr. Kasper. Thank you, Senator Shelby. 

That begs the question. We are here talking about banking prod- 
ucts. What about insurance and securities products. An inducement 
to purchase an insurance product is called a rebate and it is illegal 
under almost all State insurance laws. 

What about the small independent business people across the 
United States who are in the insurance and securities business as 
independent entrepreneurs trying to make a living competing with 
this inside information that is being passed around by the banks 
to their insurance organization to their securities organization? 

It wipes out competition. It wipes out small business. 

Our Nation is built on competition. This is anticompetition and 
the basis, the lifeblood of it is the free-flowing of this confidential 
information inside the financial conglomerates. 

Where we are heading with this is thousands and thousands of 
businesses being out of business because we cannot compete. 

Senator Shelby. And fewer choices for the consumer. 

Mr. Kasper. Absolutely fewer choices, Senator. Absolutely. The 
ones that benefit are the big institutions, not the consumer. 

Senator Shelby. Attorney General Hatch. 

Mr. Hatch. Mr. Chairman, Senator Shelby, I believe the ques- 
tion was about the industry, are they reflecting the needs of their 
customers? 

Exhibit A, what I filed, is a customer sheet. This is from Fleet 
Mortgage. These are their customer service reps and what they told 
the officers of Fleet Mortgage. 

I just briefly have a couple of comments. 

“Ninety-five percent of my calls pertain to people wanting to can- 
cel their policies. I think we should have to get a signature.” 

Another one says, “They feel it is a fraud, it is a scam, they 
never wanted the insurance.” 
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Another one is, “I think it is more hassle than it is worth.” 

Another one is, “I apologize for the inconvenience.” 

Another one is, “Customers should have to sign up for the prod- 
ucts. Don’t just add them to accounts.” 

And by the way, this is the company. This is an affiliate of the 
company. 

The best one from an employee of Fleet Mortgage to its officers. 

Chairman Sarbanes. So these are some internal comments of 
the company. 

Mr. Hatch. Oh, yes, internal. 

Chairman Sarbanes. Internal. 

Mr. Hatch. I am hopefully not breaking too many laws here. 

[Laughter.] 

Chairman Sarbanes. No, no, no. But I mean this is what they 
are saying to one another. It is like these stock analysts who tell 
people to buy the stock. And meanwhile, they are sending e-mails 
to one another saying what a turkey the company is. 

Mr. Hatch. Correct. The best one is — this is from an analyst to 
the supervisor — I hope that Fleet Mortgage makes enough revenue 
from optional insurance to justify all the calls on our 800 line from 
customers trying to cancel. 

Now is that an industry that is really representing its cus- 
tomers? I do not think so. In fact, I cannot find one comment — and 
this is their whole list — there is not one of them that is positive 
about what they are doing. They are all complaining. 

Senator Shelby. Mr. Chairman, I hope that as we go along with 
hearings, that we will get deeper into this and I hope that we can 
get some inside information like that. 

I also want to mention, Mr. Chairman, that I saw — and I haven’t 
talked with him — where Congressman John Dingell had initiated a 
probe into the tying of loans. In other words, I will loan you the 
money if you buy insurance or if you do so and so. I think that is 
something — because that is illegal. And that is something that I 
hope under your Chairmanship, that we will look into, also, be- 
cause that does destroy competition in a big way. 

Ms. Schlafly, do you have any comments on this? 

Ms. Schlafly. I do think that we should consider this a property 
rights issue. 

Senator Shelby. Absolutely. 

Ms. Schlafly. I mean, I believe I own the information about 
how I am spending my money and what I am planning to do. 

Senator Shelby. In other words, who does the information be- 
long to? 

Ms. Schlafly. Right. 

Senator Shelby. Do you give it away? Is it gone? Gosh, if it does, 
the American people are going to be in for a shock, aren’t they, a 
big, big shock. 

One last question, Mr. Chairman. You have been very indulgent. 
How many signatures does it take to get a proposition on the ballot 
in California? 

Mr. Mierzwinski. Senator, I actually do not know the exact 
number, but I can tell you that our organization has been involved 
in a number of them. It is a significant number, 1 percent or some- 
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thing of the people who voted in the last gubernatorial election 
across all of the counties. 

We have been involved in a number of these and we are part of 
a group that is, along with I believe the California Office of Con- 
sumers Union, Consumer Action, a California-based group, Privacy 
Rights Clearinghouse, we are seriously considering going directly to 
the ballot. And by the way, the industry is split on this. There is 
one Internet bank that is a pro-privacy bank that is supporting the 
initiative, e-Loan Bank. 

So, we are looking forward to working with an industry that 
actually believes that privacy is something that they can market. 

Senator Shelby. Mr. Kasper. 

Mr. Kasper. Thank you, Senator Shelby. 

When I was in California, I had the pleasure to meet Mr. Chris 
Larson, who is the Chairman of e-Loan. com, the bank that Ed 
Mierzwinski referred to. 

The amount of signatures that they will need in California is be- 
tween 700,000 and 900,000. He is so serious about this issue, that 
he has personally put up a million dollars of his own money to help 
get those signatures on the ballot. I understand the way the Cali- 
fornia initiatives work, you can actually hire people to get your sig- 
natures. So it is between 700,000 and 900,000. 

Senator Shelby. Mr. Chairman, thank you for your indulgence. 

Chairman Sarbanes. Thank you, Senator Shelby. 

Senator Akaka. 

Senator Akaka. Thank you very much, Mr. Chairman. 

Mr. Chairman, we seem to be listening to a choir that is singing 
the same song about a huge problem out there in America. 

Chairman Sarbanes. Well, there is some dissonant notes in this 
choir, I add. 

[Laughter.] 

Dr. Cate. Thank you, Mr. Chairman. 

[Laughter.] 

Senator Akaka. There is a huge problem out there in America 
having to do with the privacy notices. I just happened to have a 
few here that I have been looking at. I have been reading and re- 
reading the notices. The notices are very complex and difficult to 
understand. What kinds of changes can be made to privacy notices 
to make them easier to understand? Also, what do the privacy no- 
tices fail to include that consumers should know? 

If we can get feedback on these questions, that may help us in 
our quest to craft language that can help. 

Mr. Dugan. I would be happy to respond, Senator. 

We agree with you that the privacy notices are more complicated 
than they should be. And as I said in my testimony, I think a real 
fundamental part of the problem is that there is always a tension 
with privacy notices about trying to give enough information to 
consumers to make an informed judgment, but not giving too much 
information so that people are confused and end up not reading the 
notices. 

I think the regulators tried very hard to come out with things 
that simplified the requirements of the statute. But in the end, it 
turned out that what they proposed, and some of the sample 
clauses that they proposed and some of the legal terminology that 
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they used was very, very complicated. Indeed, some of the language 
that the Attorney General from Vermont quoted earlier was taken 
right out of these sample clauses. 

Regulators recognize this, as does the industry. But the industry 
is in a bit of a Catch-22 because when they see what the regu- 
lators have put out and what they put in these sample clauses, 
they have to hew pretty closely to it because, if they do not, they 
fear exposure to legal liability. 

And so, there is a question and there is, to be honest, some con- 
servatism the first time out to go and do the letter of what was 
being prescribed, and in some cases, that came out sounding very 
legalistic and confusing. 

I think since then, there has been very much an effort to try to 
deviate somewhat and keep within the spirit of the law. 

But more importantly, there have been projects that the regu- 
lators have encouraged and the industry is now engaging in to try 
to come up with something that is simple, one page, that has com- 
mon language terms, that language experts look at, that makes 
things easy to understand, to make the opt-out easy to understand 
and easy to exercise, and that people could use to compare among 
institutions. 

That is not an easy process. It is going to take some time to try 
to develop and there are several different efforts underway. But we 
believe that is an important direction to try to explore, and that is 
what we would see as the way to go about trying to improve the 
notices because we do believe that that is a legitimate issue. 

Senator Akaka. Mr. Kasper. 

Mr. Kasper. Thank you, Senator. I just jotted something down 
for your consideration. 

If the question and the notice said something like this: Federal 
law allows us to share and sell your personal financial information 
for marketing purposes and marketing products. If you do not tell 
us not to, question, yes or no? Do you want us to be able to share 
or to sell your information without your written permission in ad- 
vance? Yes or no. That would be simple. 

Senator Akaka. Yes. 

Mr. Kasper. Bold letters, easy to understand. The consumer un- 
derstands. 

Ms. Schlafly. How about a box to check? 

Mr. Kasper. That is right. Yes or no. Check the box. That is ex- 
actly what I meant. Check the box, yes or no. 

Senator Akaka. Mr. Hatch. 

Mr. Hatch. Mr. Chairman, Senator Akaka, I think that you get 
a very simple notice. People aren’t going to respond to an opt-out. 
People do not read these things. There is no inducement for it. 

In this country, we are used to an offer and an acceptance being 
an agreement. You have to have an affirmative act on both sides. 

What we have done here is deviated from hundreds of years of 
commerce by saying that we are going to go to an opt-out. If the 
law was simply changed to saying, you cannot trade the informa- 
tion without permission, other than to serve the actual transactions 
involved, I guarantee you the bank, the credit card company, every- 
body, it would be very simple. It would be very clear, and they 
would offer something. And the consumer would respond to that 
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offer. It might be frequent flier miles. It might be — if, indeed, about 
$300 is made off the sale of information on myself and on every- 
body else here in a year, and if 20 percent of it, if they offered that, 
some consumers are going to respond. 

Yes, I do want my magazine subscriptions to be disclosed. No, I 
do not want my checks to be disclosed to other people. But give me 
the choice. It is my property. It is a personal liberty right. 

If you have an opt-in, people will respond. There will be disclo- 
sure of information. It is just simply that people will pay for it. We 
are going to find out that it is a free enterprise system. It is a capi- 
talist system, it should be. Let’s let it work. They will make real 
clear disclosures. It will be clear. And they will even offer some- 
thing for it. 

Mr. Sorrell. I agree with General Hatch, that if opt-in was the 
standard, the industry that is struggling now to come up with sim- 
pler and more comprehensible privacy notices would find a way 
quickly to say clearly what the right is and make the case that it 
should be granted, that it wouldn’t be eight pages into the notice 
and it wouldn’t be using this language that somebody mentioned, 
you have to be a lawyer to understand it. This lawyer does not un- 
derstand it. 

So if opt-in was the standard, the industry would find a way, 
using its expertise, to make the most compelling case, to convince 
the consumer why it is in the consumer’s best interest to give this 
permission. 

We have, as I think was said before, only minuscule privacy- 
related complaints post-Gramm-Leach-Bliley. The reason for that is 
because the average consumer doesn’t understand the notices, 
doesn’t understand what the industry is doing in terms of the shar- 
ing of information right now. 

These battles are not over in the State capitals. It is literally just 
beginning. Efforts by this Committee and comparable committees 
in State capitals around the country, this thing is just starting. 

Mr. Mierzwinski. Senator, I agree with the two Attorneys Gen- 
eral that opt-in is the right way to go. Without opt-in, you need to 
improve the notices by going to something like an express statutory 
language that appears in a box, as General Sorrell suggested ear- 
lier, similar to the nutrition box on the front of the notice. Because 
the only right you have is the limited right to say no to some of 
the sharing. But most of the notices put that at the end of the eight 
pages. The right has to be moved forward and then needs to be 
marketed by the agencies. And the legal gobbledygook and double- 
speak needs to be eliminated. 

Senator Akaka. Yes, Dr. Cate. 

Dr. Cate. Senator, two responses, if I may. 

First, I think we have to distinguish the setting in which you are 
talking about consent being obtained. 

If we are talking about the opt-in or opt-out or whatever the 
choice is being on the document that opens the account or you 
apply for the loan, clarity of the notice will I think undoubtedly 
come and getting consumers to respond is comparatively easy be- 
cause they have to respond. They have to do something to move on. 

What Gramm-Leach-Bliley did and what I think is of greater 
concern, is to apply a requirement to data that has already been 
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collected, so consumers who are not coming to an institution look- 
ing for service, but rather, requiring the institution to go out to the 
consumer. We know that it is very difficult and enormously intru- 
sive to the consumer to actually reach them. 

There are many studies, there is testimony before the Federal 
Communications Commission, there have been court cases on this 
about the number of phone calls it takes, the number of letters it 
takes, and the fact that adding money to the offer makes absolutely 
no difference statistically. For example, the Post Office tells us that 
unsolicited commercial mail, not first-class mail, but unsolicited 
commercial mail, that half, 52 percent of those are thrown away 
without being opened. So it won’t matter how many $5 bills you 
stuff in the envelope. If they are thrown away without being 
opened, it is going to be very difficult to get consent, no matter 
what the consent system is. 

The first point is that it is critical to keep in mind here the dif- 
ference between the settings in which we might ask for consent. 
The second point is the question of liability related to notice. 

It would be much easier to write standardized notices, which I 
think were suggested earlier and are a terrific idea, notices you 
could compare across institutions like food labeling. 

The problem right now is that all of the information you have to 
explain to comply with the law, and if you explain inaccurately in 
any degree, you are liable. It is a strict liability standard. 

So if you say, “no, we do not share your information with third 
parties,” but it turns out you actually have a processing service 
that does work for you under contract, even though it cannot do 
anything with the information other than process it, that violates 
the terms of the notice. 

Then you get these complicated statements — “we do not share in- 
formation with third parties, other than for processing purposes” — 
and these lengthy explanations. 

If we move to a common sense regulatory system, if the FTC, for 
example, were empowered to develop a system of basic questions 
that consumers would find the answers useful to — “Do you share 
information with third parties for marketing? Yes or no?” That 
would be a question that I think all of us would understand the 
answer to, and I think frankly that is what many of us care about. 

We are not actually interested in who processes your payroll or 
who processes your checks. We want to know, “Are you sharing the 
information so that I am going to be getting mail.” 

That type of notice offers tremendous opportunities because it 
also allows for real customization. You can say, not only “Do you 
want to hear from us or not,” but also you can say, “Do you want 
to hear from us by e-mail? Do you want to hear from us by mail?” 

We can actually allow a tremendous amount of consumer choice. 
But we are going to have to back away from this very complex 
strict liability regime to make that work. 

Senator Akaka. Mr. Kasper, did you have a comment? 

Mr. Kasper. I did, Senator. Thank you. 

I just wanted to be sure the record reflected, in responding to 
your question about what the notice should say. That does not 
mean that I agree that that is what the notice should be. I support 
no-opt for affiliate-sharing and opt-in for nonaffiliate-sharing. 
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The comments from the industry spokesmen begs to ask, are you 
assuming, then, that the people of the United States are sitting at 
home breathlessly waiting for their telephone to ring so that they 
can buy something from you on the telephone that they neither 
want, nor need? 

I happen to believe that the answer is no. People will buy when 
they want, from whom they want, and what they want, if they are 
left alone. This bombardment by the telemarketing organizations 
and the banking organizations assumes that the people want the 
stuff. They do not want it. They do not want to be intruded upon. 
They want to be left alone. 

Senator Akaka. Mr. Chairman, I know that my time is up. I just 
want to mention that next year, we may be considering the Fair 
Credit Reporting Act. We will need to look at possible changes in 
the legislation to ensure that consumers have the necessary privacy 
protections. 

Thank you very much, Mr. Chairman. 

Chairman Sarbanes. Thank you very much, Senator Akaka. 

Senator Carper. 

COMMENTS OF SENATOR THOMAS R. CARPER 

Senator Carper. Thank you, Mr. Chairman. 

To our witnesses, welcome. We thank you for your testimony 
today and for your response to the questions that are being posed. 

When Congress was debating and finally passing Gramm-Leach- 
Bliley, I was back in Delaware trying to govern the State as their 
Chief Executive and I did not participate in the debate here or in 
the conference. 

I do not know if any of you are comfortable in taking us back a 
couple of years to the time when that debate was ongoing and the 
compromise was worked out, which is now part of the law of the 
land. And just take a minute and tell this old governor, how did 
we end up with the compromise that we now have? 

Mr. Dugan. Well, I was involved at the time representing finan- 
cial institutions. 

I think — and this is just one person’s view of how this came 
about — that there was, in fact, tremendous concern about imposing 
an opt-in regime and that, on the other hand, I think there was 
true concern about when information is shared outside a corporate 
family, and it led to the notion that something should be done to 
provide consumers with control when information gets shared out- 
side of a corporate family. 

That is where the debate first started about providing — some 
people wanted to go further and some people thought that we did 
not need anything. But that is where Congress struck the balance 
and said, we should allow consumers the right, make institutions 
give consumers the right, to opt-out for sharing outside of the cor- 
porate family. 

On the other hand, smaller financial institutions came in and 
said, that is not quite fair because for us to compete and offer a 
range of financial services, there are relationships that we have to 
enter into, joint marketing relationships with other financial insti- 
tutions — not just any company, but other financial institutions — in 
order to survive, and we have to be put on the same footing, the 
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same playing field as affiliates. That is what caused the creation 
of the joint marketing exception for the sharing of information with 
other financial institutions. 

Congress also imposed strict limits on the redisclosure and reuse 
of information, however it was shared. There was also tremendous 
debate — when this thing got started, everybody thought it was sim- 
ple, but there were many, many kinds of information that needed 
to be shared, and not just to carry out a transaction. The law recog- 
nized a whole host of exceptions from the opt-out restriction, these 
exceptions were very suspiciously viewed at the time, but turned 
out to be very wisely put in and have not been controversial since 
then. For example, sharing information with regulators, for judicial 
process, to detect fraud, to share with credit bureaus, etc. 

That was the basic structure that was put in place. The notion 
also was, you had to have notices because opt-out only works if you 
have meaningful notices, and you had to have a regulatory scheme 
to enforce it and actually write detailed regulations about it. 

What has happened since then is that this is the first time that 
the Government has written such detailed privacy regulations. In 
a sense, the financial services industry has been something of a 
guinea pig in that you have very detailed regulations being written 
for the first time where people had to struggle on how these kinds 
of things were sorted out and a number of decisions were made. 

I think a lot of progress was made, but, obviously, as I mentioned 
in context with the notices, there are more improvements that 
could be made. 

Senator Carper. General Hatch. 

Mr. Hatch. Mr. Chairman, Senator Carper, this is my recollec- 
tion and it is from the hinterland. So, I could be totally wrong and 
I am sure the Chairman has a much better recollection of how this 
privacy provision got into play. But in the hinterland, in June, I 
sued a bank, U.S. Bank, and alleged that they had taken a million 
depositors and sold 22 pieces of information to telemarketers, mak- 
ing a lot of money on this thing. 

The day before, the OCC Chairman Hawke had given a speech 
in San Francisco, and he had been harping about this for years, 
saying, banks, you have to clean up your act. 

They are all denying it. 

So the day afterwards — they all denied it — we filed the suit. Very 
clearly, we were in communication with the OCC on this issue. We 
filed the suit, and I will never forget it. On Wednesday, all the 
banks said, oh, we are not doing this. Just U.S. Bank. 

By Thursday, all of them were saying, I guess we are doing it. 
We are not going to do it any more, because we were basically say- 
ing, it was consumer fraud because they had said that there was 
a right to privacy in their literature. We were also alleging a com- 
mon law right to privacy with regard to financial data. 

They were disclosing, for instance, your high balance, your low 
balance, all sorts of information from whence, you know, a tele- 
marketer will know when to hit you, which day of the month, how 
much disposable income you have, what your age is. And, as I men- 
tioned earlier, two-thirds of this is targeted to the senior citizens. 

We were plowing through on this suit, and the bank came in and 
we started doing some negotiation. We had an opt-in agreed. 
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But then, I get a call and I am told that the GLB, Gramm-Leach- 
Bliley, is going through, which had nothing to do, to my knowledge, 
with privacy. The Chairman would know better than I. But my un- 
derstanding was that it did not have anything to do with privacy 
at that time. 

There was a grand debate over Glass-Steagall that was passed 
in 1933, and the Douglas Amendment that was passed in 1956 
with regard to what banks, what business they could get into. 

And next thing I know, all these banks are plowing into Min- 
nesota, or at least these lobbyists plowing in, all these threats and 
no, you cannot settle this thing with an opt-in. Congress is going 
to preempt everything. 

But for the Chairman’s amendment, everything we were involved 
with then would be worthless. 

I do not think this was any great thought-out privacy act. But 
for the efforts to hold it off and allow the States to do something, 
it was just simply a way to get around killing the right to privacy 
as it relates to banks. Maybe I am wrong. 

Chairman Sarbanes. Well, for the sake of full and of fair 
disclosure 

[Laughter.] 

— we should register that the position of the industry at the time 
was that there should be no privacy protection. That was their 
basic position. 

Now, what we ended up with in the bill was, there was an effort 
made to try to deal with the privacy issue and we got what I re- 
gard as some minimal provisions. But also, in light of the fact that 
they were so minimal, we were able to get a provision in, an ex- 
plicit provision, that the States could go beyond the Federal. 

My own view is that if we had not gotten that provision in, that 
we would still not have preempted. But it would have left open the 
argument to be made, which I am sure the industry would have 
made, that simply putting the standard, the minimal standards, in 
constituted a preemption, even though the legislation might not 
have said that there was a preemption. 

In any event, we were able to avoid all of that by getting the 
explicit provision that the States can go beyond, and therefore, I 
think, saving the Attorneys General a lot of litigation that other- 
wise would have occurred, asserting that the minimal standards in 
Gramm-Leach-Bliley constituted a preemption. 

But to put all of this into perspective, the industry’s position at 
the time that we were considering this legislation was that there 
should be no privacy protections. 

Mr. Dugan, I have to say to you and your clients here today that 
this issue has not reached a point of equilibrium or a point of 
repose, in my judgment. In other words, I do not think that the 
current provisions about privacy protection are perceived by most 
people as being adequate. 

Therefore, I think this issue is going to remain on the agenda. 
And it seems to me that it behooves those that are interested in 
it to start thinking in a positive and constructive way about what 
the system could be that would provide the extent of protection 
that most people would conclude is appropriate, that puts the issue 
to rest and might well encompass within it accommodations for 
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some of the administrative things that the industry is concerned 
about. At least that should be examined and considered. 

Otherwise, it is my prediction that if we continue along in the 
current path, there will be the equivalent of Enron and Worldcom 
one of these days in the privacy field, and you may well end up 
with a regime which you say, oh, how did we ever get to this point? 
And the answer is going to be, you got there because you weren’t 
trying to work through to a positive and rational solution. 

Now, I want to commend the Attorneys General for the interest 
they have taken. It is extremely important. And I know the two of 
you are only reflective of many others in other States across the 
country who have interested themselves in this issue. 

Mr. Kasper, certainly you contributed immeasurably by coming 
here today and telling us the North Dakota experience. Of course, 
Mr. Mierzwinski has been working on this issue. 

Ms. Schlafly, I have to say, you added this property dimension 
issue, property rights dimension. It is a very interesting dimension. 
I had not really thought about it as much as I probably should 
have until you started speaking here today. It is very interesting. 

If it means so much economically to these institutions to get this 
information and use it, obviously it has some kind of property 
value. It starts out coming from the consumer. That value should 
be protected or at least compensated for, perhaps. It raises a very 
interesting question, over and above the basic privacy issues. 

Anything else, Senator Carper? 

Senator Carper. Just one last thing, if I could. I am going to ask 
if maybe Mr. Dugan would just reply for the record and not here 
today because the hour is late. 

My wife is from North Carolina. A member of her family’s iden- 
tity was stolen, a victim of identity theft. Probably everybody here 
knows someone personally who has gone through what she has 
gone through. It has not been fun. 

And just in the last week, I get a weekly report from a person 
on my staff in Delaware who heads up constituent services for me. 
We are beginning to see a growing number of people who call our 
office because they too are victims of identity theft. 

The question I am going to ask, perhaps, for Mr. Dugan — I do 
not mean to pick on you, but just for the record, if you could let 
me know what steps you are aware of that the financial services 
industry is taking to help combat this problem. 

Mr. Dugan. I would be happy to do that, Senator. And I do just 
want to say, very briefly, that you raise a very good point. 

That is precisely the kind of thing, we do think that that is a real 
issue. And it is that kind of issue that, if there is a need, should 
be addressed, that there is legislation that needs to be done to take 
some steps in that direction. That is something, a targeted kind of 
harm where there is a problem. Then we should try to come up 
with things that go right at that, as opposed to something very 
nebulous and broad-based about information-sharing generally, to 
try to get at the same thing. 

But we would be happy to respond. 

Senator Carper. Thank you. 

Mr. Mierzwinski. Senator, if I could add briefly. From the con- 
sumer groups’ perspective, identity theft results largely from a fail- 
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ure of the big banks, the credit card companies, and the credit 
bureaus to adhere to all of the Fair Information Practices and take 
care of our information. 

It is too easy for a thief to represent themselves as me. All they 
need is my Social Security number, a very poor unique identifier, 
and my name. And then they apply in my name. The credit bureau 
gives the bank a copy of a credit report that says, he passes, and 
then the credit card is mailed to the wrong guy. 

That is how easy it is. 

We consider this debate over opt-in and opt-out sometimes covers 
up all of the other issues related to privacy. But how the institu- 
tions take care of information is just as important. 

Senator Carper. Thanks, Mr. Chairman. 

Chairman Sarbanes. I may note as we draw to a close that the 
European Union has developed privacy protections well beyond 
anything that we have here. 

American companies are trying to meet an adequacy standard. 
They have not been able to do that yet. They may have to go to 
Safe Harbor, which they do not want to do because they would 
have to elevate the protections they provide. But I am increasingly 
concerned about this. The EU is a growing economic force, and its 
size, both in terms of population and gross national product com- 
pares with the United States. 

If we are not careful, many of the advantages that we have had 
as the economic leader, and I think, suppose the EU moves ahead 
with better privacy protections. They seem to be moving ahead 
with better accounting standards, although we may now be able to 
remedy that situation. 

But they have this accountability — we used to say to them, you 
have to do American-style accounting because that is the best in 
the world, the most transparent. We have the best integrity of the 
markets. And now they are saying to us, what? 

[Laughter.] 

They are out there trying to compete with us because we are fall- 
ing short. These issues have far-ranging implications, I think. And 
this does not strike me as the issue that you are either here or you 
are there. 

There is obviously a whole area in which we can work to try to 
reach a reasonable solution. But I do think if we are going to do 
that, we have to move significantly back in the direction that our 
starting point is that this information belongs to the individual 
who provides the information. And then you go from there in terms 
of what uses can be made of it and the individual’s involvement in 
making that judgment. 

We want to thank all of you for coming. This has been an ex- 
tremely helpful panel. We appreciate the time and the effort that 
each of our witnesses gave in preparing for it. 

The hearing stands adjourned. 

[Whereupon, at 12:35 p.m., the hearing was adjourned.] 

[Prepared statements and additional material supplied for the 
record follow:] 
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PREPARED STATEMENT OF WILLIAM H. SORRELL 

Attorney General, State of Vermont 

September 19, 2002 

Good morning, and thank you for inviting me to speak with you today on the im- 
portant issue of financial privacy. I would like at the outset to recognize and express 
my gratitude for the critical role played by this Committee in the protection of con- 
sumers’ financial privacy. Unfortunately, the Gramm-Leach-Bliley Act (GLB) 1 does 
not protect consumers’ financial privacy as intended by this Committee. I recom- 
mend that this Committee take further action to ensure that its previous good work 
results in real protections for consumers. 

In these comments I address the following topics: 

1. The inability of GLB, as currently construed by Federal regulators, to stop the 
abusive telemarketing practices that gave rise to the financial privacy provisions of 
GLB in the first instance. 

2. The inability of consumers to exercise their rights under GLB because industry 
notices are incomprehensible. 

3. The problems associated with sharing of financial information among corporate 
affiliates. 

4. The need to allow States to continue to address problems associated with shar- 
ing of financial information both among affiliates and nonaffiliated third parties. 

5. Recommendations for Congressional action in these areas. 

GLB Does Not Protect Consumers From Harms Associated With Sharing 
Nonpublic Financial Information 

Congress intended Title V of GLB to protect consumers from abuses associated 
with sharing of nonpublic personal financial information. As a result of enforcement 
actions brought by State Attorneys General against information-sharing practices of 
major banking institutions, Congress created Title V to protect consumers with re- 
spect to such sharing of their financial information. However, the provisions of Title 
V are insufficient to protect consumers from the harms associated with these prac- 
tices, and pose considerable risks to consumers. The provisions that allow financial 
institutions to share encrypted account numbers and other forms of billing informa- 
tion for marketing purposes are particularly troublesome. Moreover, the notices 
issued by financial institutions under GLB have been dense and require a high 
reading level to comprehend, resulting in consumer confusion and inability to exer- 
cise informed choice. Congress should act to correct these problems, thus ensuring 
Title Vs capacity to protect consumers in the area of financial privacy. 

GLB Does Not Protect Consumers From Fraudulent Telemarketing 

The information held by financial institutions about their customers is highly val- 
uable. While financial institutions might not disclose this highly valuable informa- 
tion to their competitors, they do disclose this information to marketing partners 
and to third parties for the purpose of jointly marketing products and services unre- 
lated to the customers’ current service selection, and even unrelated to the par- 
ticular type of services performed by the financial institution itself. The harm to a 
consumer resulting from this type of information-sharing stems from the tactics 
sometimes used in marketing new products to the consumer, who usually does not 
realize that the marketer already has the consumer’s credit card number, or access 
to the credit card account through an encrypted number or other unique means of 
identification. 

Indeed, it was well known in 1999 that practices of sharing customer financial 
information by major banking institutions facilitated these telemarketing abuses. In 
the spring of 1999, the Minnesota Attorney General announced a settlement with 
U.S. Bancorp, resolving allegations that U.S. Bancorp misrepresented its practice 
of selling highly personal and confidential financial information regarding its 
customers to telemarketers. One year later, thirty-nine additional States and the 
District of Columbia entered into a similar settlement. 2 The States’ investigation fo- 
cused on the bank’s sale of customer information — including names, addresses, tele- 
phone numbers, account numbers, and other sensitive financial data — to marketers. 
Based on this confidential information, the marketers made telemarketing calls and 


!Pub. L. No. 106-102 (1999). 

2 The basis for the States’ action was their charge that U.S. Bancorp misrepresented its pri- 
vacy policy to its customers. In some account agreements provided to its customers, the bank 
listed the circumstances under which information would be disclosed, but failed to include any 
reference to the bank’s practice of providing such information to vendors for direct marketing 
purposes. 
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sent mail solicitations to the bank’s customers in an effort to get them to buy the 
marketers’ products and services, including dental and health coverage, travel bene- 
fits, credit card protection, and a variety of discount membership programs. Buyers 
were hilled for these products and services by charges placed on their U.S. Bancorp 
credit card. In return for providing confidential information about its customers, 
U.S. Bancorp received a commission of 22 percent of net revenue on sales with a 
guaranteed minimum payment of $3.75 million. 

As a result of the evidence uncovered through the U.S. Bancorp case, Congress 
intended to limit the ability of financial services companies to sell or give their cus- 
tomers’ nonpublic personal information to third-party telemarketers. Congress in- 
tended to forestall these abusive telemarketing practices by specifically prohibiting 
financial institutions from sharing an account number or similar form of access 
number or access code for a credit card account, deposit account, or transaction ac- 
count of a consumer with any nonaffiliated third-party for use in telemarketing, di- 
rect mail marketing, or other marketing through electronic mail to the consumer. 3 

However, the regulations adopted to implement GLB allow financial institutions 
to sell or to share encrypted credit card numbers or other unique identifiers, which 
enables the telemarketing abuses that were at the heart of Congressional concern 
to continue unabated. The Federal agencies’ rules implementing this section on 
sharing of account numbers sets forth two “examples,” the first one of which states: 

Account number. An account number, or similar form of access number 
or access code, does not include a number or code in an encrypted form, as 
long as the bank does not provide the recipient with a means to decode the 
number or code. CFR § 40.12(c) [emphasis added]. 

Thus, a telemarketer or other recipient of an encrypted account number or unique 
identifier is able to notify a financial institution that a particular consumer indi- 
cated a desire to purchase an item, thus causing the consumer’s account to be 
charged, without ever asking the consumer for permission to charge the account. 
The financial institution then uses its decode mechanism, which it never shares 
with an unaffiliated party, to determine which account to charge. This type of mar- 
keting is known as “preacquired account” telemarketing. The possibility of unau- 
thorized charges and fraudulent practices in such circumstances is greatly increased 
over situations where the consumer must affirmatively give a credit card number 
for the account to be charged. 

Preacquired account telemarketing is inherently unfair and susceptible to causing 
deception and abuse, especially with elderly and vulnerable consumers. Preacquired 
account telemarketing turns on its head the normal procedures for obtaining con- 
sumer consent. Other than a cash purchase, providing a signature or an account 
number is a readily recognizable means for a consumer to signal assent to a deal. 
Preacquired account telemarketing removes these shorthand methods of consumer 
control. The telemarketer not only establishes the method by which the consumer 
will provide consent, but also decides whether the consumer actually consented. 

The Federal Trade Commission, in its recent Notice of Proposed Rulemaking 
regarding the Telemarketing Sales Rule, has proposed prohibiting “preacquired ac- 
count” telemarketing. 4 Forty-nine States, the District of Columbia, and three Terri- 
tories recently filed comments with the Federal Trade Commission that strongly 
support this proposal. 5 In their comments, these States, Territories, and the District 
of Columbia noted that the consequence of this fundamentally unfair selling method 
is clear: Consumers are assessed charges for products they did not want, and did 
not understand they were purchasing. 

Fleet Mortgage Corporation, for instance, entered into contracts in which 
it agreed to charge its customer-homeowners for membership programs and 
insurance policies sold using preacquired account information. If the tele- 
marketer told Fleet that the homeowner had consented to the deal, Fleet 
added the payment to the homeowner’s mortgage account. Angry home- 
owners who discovered the hidden charges on their mortgage account called 
Fleet in large numbers. 6 . . . Approximately one-fifth of all calls by Fleet 
customers were about these preacquired account “sales.” Customers over- 


3 Gramm-Leach-Bliley Act, Pub. L. 106-102, Nov. 12, 1999, 113 Stat. 1338, Section 502(d). 

4 67 Fed. Reg. 4491. 

5 Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the 
Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing 
Sales Rule, April 12, 2002, available at www.naag.org. 

6 The mortgage statements issued by Fleet hid the charges under the rubic “opt.prod.” at the 
very bottom of the bill in small print, such that it was extremely difficult to discover the charge 
or discern the purpose of the charge. For consumers on auto-draft from their checking or other 
bank account, Fleet gave no written notice of the charge. 
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whelmingly told Fleet that they did not sign up for the product, and wanted 
to know how it was added to their mortgage accounts without their ap- 
proval, consent, or signature. 7 

This Committee should take the lead in protecting consumers from such abusive 
telemarketing practices by prohibiting the use of encrypted numbers, unique identi- 
fiers, and other means for accessing a consumer’s account. 

Moreover, it seems likely that, as information-sharing increases, the risk of mis- 
use or misappropriation of such information increases as well. It may well be that 
the greater the quantity and level of detail of confidential information, and the more 
entities that possess such information, the higher the chance that the information 
will be stolen or misappropriated, or used for other inappropriate purposes, such as 
the improper denial of credit, insurance, or employment. I therefore urge this Com- 
mittee to look beyond the known risks of telemarketing abuses to identify and 
evaluate less obvious risks, including potential identity theft. 

GLB Notices are Inadequate to Advise Consumers of Their Rights With 
Respect to Information Sharing 

The notices to consumers that are required under GLB 8 are woefully inadequate. 
Consumers have been greatly confused by the dense information in the notices, 
which require a high education level to comprehend. As a result, consumers have 
not been adequately informed about their rights to opt-out of information-sharing 
with third parties. 

The opt-out notices provided by financial institutions in their effort to comply with 
GLB have not been “clear and conspicuous,” as those terms are commonly under- 
stood. Opt-out notices mailed by many financial institutions have been unintelligible 
and couched in language several grade levels above the reading capacity of the ma- 
jority of Americans. 9 Experts have highlighted the inadequacy of such statements. 
Mark Hochhauser, Ph.D., a readability expert, reviewed sixty GLB opt-out notices. 
Dr. Hochhauser determined that these notices were written at an average third or 
fourth year college reading level, rather than the junior high level comprehensible 
to the general public. 10 For example, the notice sent to customers by one financial 
institution stated: 

If you prefer that we not disclose nonpublic personal information about 
you to nonaffiliated third parties, you may opt-out of those disclosures, that 
is, you may direct us not to make those disclosures (other than disclosures 
permitted by law). 11 

Recent surveys demonstrate that consumers either never see and read such com- 
plicated opt-out notices, or they do not understand them. A survey conducted by the 
American Bankers Association 12 found that 41 percent of consumers did not recall 
receiving their opt-out notices, 22 percent recalled receiving them but did not read 
them, and only 36 percent reported reading the notice. Another survey, conducted 
by Harris Interactive for the Privacy Leadership Initiative, announced its results in 
early December 2001. 13 The Harris Survey indicated that only 12 percent of con- 
sumers carefully read GLB privacy notices most of the time, whereas 58 percent did 
not read the notices at all or only glanced at them. The Harris Survey further 
indicated that lack of time or interest and difficulty in understanding or reading the 
notices top the list of the reasons why consumers do not spend more time reading 
them. 

Those consumers that do read the GLB notices have voiced numerous complaints, 
raising concerns that the financial institutions’ unintelligible notices are an attempt 
to mislead them. 14 The opt-out approach promulgated under GLB has proven so 
problematic that the Federal agencies that administer the regulations under GLB 
convened an Interagency Public Workshop to address the concerns that have been 
raised “about clarity and effectiveness of some of the privacy notices” sent out under 


7 Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the 
Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing 
Sales Rule, supra note 5. 

8 15 U.S.C. § 6802(b)(1)(A). 

9 See Robert O’Harrow, Jr., “Getting a Handle on Privacy’s Fine Print: Financial Firms’ Policy 
Notices Aren’t Always ‘Clear and Conspicuous,’ as Law Requires,” The Washington Post, June 
17, 2001, at H-01. 

10 Mark Hochhauser, Ph.D., “Lost in the Fine Print: Readability of Financial Privacy Notices,” 
httpd / www.privacyrights.org / ar / GLB-Reading.htm (2001). 

11 See Hochhauser, supra n. 10. 

12 Available at http :/ / www.aba.com / Press+Room / bankfee060701.htm. 

13 Available at http .7 / www.ftc.gov / bcp / workshops / gib (hereinafter “Harris Survey”). 

14 Harris Survey, supra n. 13. 
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GLB. 15 The agencies noted that consumers have complained that “the notices are 
confusing and/or misleading and that the opt-out disclosures are hard to find.” 16 

Where the vast majority of consumers do not even read opt-out notices, and those 
who read the notices cannot understand them, it cannot be said that they are able 
to understand their rights and exercise their choices intelligently. As a result, the 
Attorneys General of forty-two States, the District of Columbia, and two Territories 
called on the FTC and other Federal regulatory agencies to create standard notices 
and require much simpler language so that consumers can understand them. 17 

Congress should step in and require the Federal agencies to create standard no- 
tice forms for use by the financial services industry under GLB. Standard notices 
for financial privacy could be modeled on the nutritional labeling required by the 
Congress under the Nutritional Labeling and Education Act. Use of such standard 
notices would enable consumers to much more easily understand their rights, and 
to exercise their choices allowed under Federal law. 

The FCRA Does Not Adequately Protect Consumers From Abuses 
Associated With Sharing of Nonpublic Personal Financial 
Information Among Affiliates 

The concerns with respect to sharing of information with unaffiliated third parties 
— abusive telemarketing practices and incomprehensible notices — apply with equal 
force with respect to sharing of nonpublic personal financial information among cor- 
porate affiliates. The breadth and number of affiliates of some financial institutions 
is breathtaking, yet most consumers remain unaware of the existence or identity of 
their financial institutions’ affiliates. Consumers should be better protected from the 
harms associated with affiliate-sharing by giving consumers an effective choice be- 
fore credit-related information can be shared throughout a vast corporate complex. 

Under the FCRA, consumers have no choice as to whether their transaction and 
experience information will be shared with their financial institution’s corporate af- 
filiates. Moreover, once they are given a notice and opportunity to opt-out, all other 
information can also be shared with the corporate affiliate group. Thus information 
about the consumer’s income, employment history, credit score, marital status, and 
medical history can be shared with ease among corporate affiliates. 

GLB greatly expanded the activities that were permissible under one corporate 
umbrella, as it allowed insurance, securities, and banking institutions to affiliate 
with each other. Even prior to enactment of GLB, financial institutions were al- 
lowed to affiliate with a broad spectrum of companies. The list of activities that are 
identified by the Federal Reserve Board in its rulemaking as “financial” in nature 
or closely related to financial activities, and therefore permissible for inclusion with- 
in a financial holding company, goes well beyond traditional financial activities, and 
includes the following: 

• Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, dis- 
ability, or death, or providing and issuing annuities, and acting as principal, 
agent, or broker for purposes of the foregoing, in any State. 

• Providing financial, investment, or economic advisory services, including advising 
an investment company (as defined in Section 3 of the Investment Company Act 
of 1940). 

• Issuing or selling instruments representing interests in pools of assets permissible 
for a bank to hold directly. 

• Underwriting, dealing in, or making a market in securities. 

• Leasing real or personal property (or acting as agent, broker, or advisor in such 
leasing) without operating, maintaining, or repairing the property. 

• Appraising real or personal property. 

• Check guaranty, collection agency, credit bureau, real estate settlement services. 

• Providing financial or investment advisory activities including tax planning, tax 
preparation, and instruction on individual financial management. 

• Management consulting and counseling activities (including providing financial 
career counseling). 

• Courier services for banking instruments. 


15 Interagency Public Workshop, “Get Noticed: Effective Financial Privacy Notices,” http :/ / 
www.ftc.gov / bcp / workshops ! gib / ; see also Press Release, “Workshop Planned to Discuss Strate- 
gies for Providing Effective Financial Privacy Notices,” http: / / www.ftc.gov / opal 2001 / 09 / 
glbwkshop.htm (September 24, 2001). 

16 See Joint Notice Announcing Public Workshop and Requesting Public Comment, “Public 
Workshop on Financial Privacy Notices,” at 3. 

17 See Comments of 44 Attorneys General to Federal Trade Commission Regarding GLB No- 
tices, dated February 15, 2002, available at www.naag.org. 
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• Printing and selling checks and related documents. 

• Community development or advisory activities. 

• Providing financial data processing and transmission services, facilities (including 
hardware, software, documentation, or operating personnel), databases, advice, or 
access to these by technological means. 

• Leasing real or personal property (or acting as agent, broker, or advisor in such 
leasing) where the lease is functionally equivalent to an extension of credit. 

• Providing investment, financial, or economic advisory services. 

• Operating a travel agency in connection with financial services. 18 

Thus the types of businesses with which traditional financial institutions may 
now affiliate themselves, in addition to banking, insurance, and securities broker- 
age, include: 

• mortgage lenders; 

• “pay day” lenders; 

• finance companies; 

• mortgage brokers; 

• account servicers; 

• check cashiers; 

• wire transferors; 

• travel agencies operated in connection with financial services; 

• collection agencies; 

• credit counselors and other financial advisors; 

• tax preparation firms; 

• non-Federally insured credit unions; and 

• investment advisors that are not required to register with the Securities and Ex- 
change Commission. 19 

Also included among the list of permissible affiliates are institutions that are “sig- 
nificantly engaged in financial activities,” such as: 

• A retailer that extends credit by issuing its own credit card directly to consumers. 

• A personal property or real estate appraiser. 

• An automobile dealership that, as a usual part of its business, leases automobiles 
on a nonoperating basis for longer than 90 days. 

• A career counselor that specializes in providing career counseling services to indi- 
viduals currently employed by or recently displaced from a financial organization, 
individuals who are seeking employment with a financial organization or individ- 
uals who are currently employed by or seeking placement with the finance, ac- 
counting or audit department of any company. 

• A business that prints or sells checks for consumers, either as its sole business 
or as one of its product lines. 

• An accountant or other tax preparation service that is in the business of com- 
pleting income tax returns. 

• An entity that provides real estate settlement services. 20 

The number and breadth of affiliates currently associated with some of the coun- 
try’s major financial institutions is astounding. Submitted with these comments for 
the Committee’s official record are the corporate affiliate lists for Bank of America 
Corporation, Citigroup, Inc., and KeyCorp, 21 which serve as three examples of the 
level of affiliation at large- and mid-sized banking institutions in this country. Bank 
of America lists 1,476 corporate affiliates; Citigroup lists 2,761 corporate affiliates; 
and KeyCorp lists 871. A perusal of these corporate affiliate lists demonstrates that 
these holding companies appear to be involved in widely disparate activities, includ- 
ing insurance, securities, international banking, real estate holdings, and develop- 
ment, and equipment leasing. Some of these affiliate operations may, in the normal 
course of their business, gather highly personal health information about con- 
sumers. A consumer holding a credit card with the lead bank or a property and cas- 
ualty insurance policy with a major insurer in any of these affiliate groups would 


18 Examples 1-4 are from 12 U.S.C. § 4(k); examples 5-13 are from 12 CFR §225.28; and ex- 
amples 14-16 are from 12 CFR § 211.5(d). 

19 16 CFR §313.1 (b). 

20 16 CFR §313.3 (k)(2). 

21 These lists, and other corporate affiliate lists for bank holding companies can be obtained 
at http:/ / 132.200.33.161 / nicSearch / servlet I NICServlet?$GRP$=INSTHIST&REQ=MERGEDIN 
&MODE=SEARCH. 
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not expect that his or her transaction and experience information would be spread 
throughout the corporate affiliate structure for the purpose not of servicing the con- 
sumer better, but of marketing products to the consumer. 

The only appropriate mechanism for giving consumers control over sharing of in- 
formation within such broad affiliate groups is to require that consumers be given 
effective notice and choice before their information may be shared with affiliates. 

Unfortunately, current notices to consumers about their rights under the FCRA 
with respect to sharing of nonpublic personal financial information with affiliates 
are highly inadequate, just like the notices about consumers’ rights under GLB. In- 
deed, both GLB and the FCRA require that notices about information-sharing prac- 
tices and information about how consumers can exercise their opt-out rights must 
be written in a “clear and conspicuous” manner. 22 The Federal regulatory agencies 
have not yet issued any guidance on how these two notice requirements work to- 
gether. Many financial institutions have incorporated their affiliate-sharing notices 
required under the FCRA within their notices about the sharing of information with 
unaffiliated third parties required under GLB. Consumers have experienced the 
same problems outlined previously, with respect to affiliate-sharing notices as they 
have experienced with notices about sharing of information with unaffiliated third 
parties. 

Accordingly, Congress should require financial institutions to give consumers an 
effective choice before nonpublic personal financial information can be shared among 
affiliates. Moreover, Congress should direct that the standard financial privacy no- 
tices to be created by the Federal regulatory agencies contain a standard format for 
information about affiliate-sharing practices and consumers’ choices to control such 
sharing. 

Congress Should Continue to Allow States to Enact More Protective 
Laws With Respect to Financial Privacy 

Prior to GLB, States had enacted provisions relating to financial privacy that 
were more protective than the provisions of Federal law. This Committee ensured 
the ability of States to continue to protect their citizenry by enacting Section 507 
of GLB, which allows States to adopt financial privacy laws relating to sharing with 
unaffiliated third parties that are more protective than Title V. Due to the inad- 
equacies of GLB discussed above, States and localities have been exercising this au- 
thority to ensure that their consumers’ financial information is protected. Moreover, 
under the FCRA, the current preemption of more protective State laws relating to 
affiliate-sharing is due to sunset on December 31, 2003. 

This Committee should ensure that States continue to be entitled to enact more 
protective laws with respect to sharing of financial information with third parties 
and affiliates. 

State Law on Information Sharing With Unaffiliated Third Parties 

Recognizing that many of the problems inherent with GLB stem from the Federal 
law’s acceptance of consumer “opt-out” as an appropriate means of registering con- 
sumer choice, States and local governments have been actively adopting laws that 
require consumers to opt-in before their information can be shared. There are cur- 
rently six States that have enacted laws that require some form of opt-in before 
financial information can be shared by banks. 23 Fourteen States have enacted laws 
or regulations that require some form of consumer consent before financial informa- 
tion can be shared by insurance companies. 24 In addition, North Dakota voters re- 
cently adopted a referendum reversing the State legislature’s repeal of that State’s 
opt-in law, putting that State’s banking opt-in law back on the books. Two Cali- 
fornia localities — San Mateo County and Daly City — also have recently adopted ordi- 
nances requiring affirmative consumer consent before financial information can be 
shared. These laws are a reaction by State and local governments to the problems 


22 15 U.S.C. § 6802(b)(1)(A); 15 U.S.C. § 1681a(d)(2)(A)(iii). 

23 Alaska (Alaska Stat. §06.05.175); Connecticut (Conn. Gen. Stat. Ann. § 36a— 42); Illinois 
(205 III. Comp. Stat. Ann. 5/48.1); Maryland (Md. Code Ann., Financial Institutions § 1-302); 
North Dakota (N.D. Cent. Code §6-08.1-04); and Vermont (VT. Stat. Ann. tit. 8, §10201 and 
BISHCA Regulation B-2001-01). 

24 Arizona (Ariz. Rev. Stat. Ann. §20-2113); California (Cal. Ins. Code §791.13); Con- 
necticut (Conn. Gen. Stat. Ann. §38a-988); Georgia (Ga. Code Ann. §33-39-14); Maine (Me. 
Rev. Stat. Ann. tit. 24-A, §2215); Massachusetts (Mass. Gen. Laws Ann. ch. 1751, §13); Min- 
nesota (Minn. Stat. Ann. §72A.502); Montana (Mont. Code Ann. §33-19-306); Nevada (Nev. 
Admin. Code ch. 679B §§ 679B.560-679B.750); New Jersey (N.J. Stat. Ann. §17:23A-13); New 
Mexico (N.M. Admin. Code tit. 13, §§13.1.3.1-13.1.1.28); North Carolina (N.C. Gen. Stat. §58- 
39-75); Ohio (Ohio Rev. Code Ann. §3904.13); Oregon (Or. Rev. Stat. §746.665); and Vermont 
(VT. BISHCA Regulation IH-2001-01). 
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associated with GLB, and an effort by these governments to provide consumers with 
protections greater than those afforded under Federal law. 

Some States have adopted laws or regulations that are designed to address some 
of the specific problems consumers face under Federal law. For example, Vermont’s 
new financial privacy regulations specifically prohibit banks, insurance companies, 
and securities firms from sharing encrypted account numbers or other unique iden- 
tifiers that would allow telemarketers and others to access a consumer’s account. 
See, that is, Vermont Department of Banking, Insurance, Securities, and Health 
Care Administration Regulation B-2001-01, Section 13 (available at http: / / www. 
state, vt. us / atg / Banking%20Adopted%20Rule.pdf '). 

Congress should ensure that States can continue to be allowed to protect their 
consumers with respect to sharing of financial information with third parties by en- 
acting laws that are more protective than GLB’s Title V. 

State Law on Affiliate Sharing 

Similarly, Congress should ensure that States can adopt laws that are more pro- 
tective than the FCRA with respect to affiliate-sharing. The FCRA prohibits States 
from enacting or enforcing provisions with respect to sharing of information among 
affiliates until January 1, 2004. 25 Congress should allow this preemption provision 
to sunset, as scheduled, on January 1, 2004. After that date, States will be allowed 
to enact laws with respect to affiliate-sharing if two conditions are met: 

• The State provision explicitly states that it is intended to supplement the Federal 

FCRA. 

• The State provision gives greater protection to consumers than is provided under 

the Federal FCRA. 26 

Currently, Vermont is the only State that has a law directly regulating affiliate- 
sharing. Vermont law, like Federal law, allows affiliates to share transaction and 
experience information without any notice to a consumer and without any way for 
a consumer to prevent the sharing. However, before financial institutions can share 
credit reporting information about Vermont consumers with their affiliates under 
Vermont law, the institutions must obtain affirmative consent — or opt-in — from the 
consumer. 

Because Vermont was the only State to have addressed the issue of affiliate-shar- 
ing at the time of the 1996 revisions to the FCRA, Congress specifically exempted 
Vermont’s State consent provision from FCRA preemption “with respect to the ex- 
change of information among persons affiliated by common ownership or common 
corporate control.” 27 Congress should allow other States to address concerns with 
respect to affiliate-sharing by allowing the preemption of such State laws to sunset 
as scheduled. 

Recommendations for Congressional Action 

In sum, I recommend the following as appropriate steps for this Committee to 
take to ensure that consumers’ financial privacy is protected: 

1. To prevent abusive telemarketing practices of the type that led to enactment 
of Title V in the first instance, prohibit financial institutions from using encrypted 
account numbers, unique identifiers, or other means to access a consumer’s account 
without explicit authorization from the consumer. 

2. To ensure that consumers understand their rights under Federal law with re- 
spect to financial privacy, require the Federal Agencies responsible for GLB regula- 
tion to develop standard financial privacy notices similar to the nutritional labels 
developed by the Food and Drug Administration under the Nutritional Labeling and 
Education Act. 

3. Ensure that consumers have effective notice and choice with respect to affil- 
iate-sharing. 

4. Continue to allow States to enact more protective provisions with respect to 
sharing of financial information among unaffiliated third parties. 

5. Allow the preemption of more protective State laws governing affiliate-sharing 
to sunset as scheduled on December 31, 2003. 


25 See 15 U.S.C. §§ 1681t(b)(2) and (d). 
26 15 U.S.C. §1681t(d). 

27 15 U.S.C. § 1681t(b)(2). 
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My name is Fred Cate, and I am a Professor of Law and Ira C. Batman Faculty 
F ellow at the Indiana University School of Law in Bloomington, and a Senior Policy 
Advisor at the Hunton & Williams Center for Information Policy Leadership. For 
the past 13 years, I have researched, written, and taught about information laws 
issues generally, and privacy law issues specifically. I directed the Electronic Infor- 
mation Privacy and Commerce Study for the Brookings Institution, served as a 
Member of the Federal Trade Commission’s Advisory Committee on Online Access 
and Security, and currently am a Visiting Fellow, addressing privacy issues, at the 
American Enterprise Institute. 

I appreciate the opportunity to testify today, and I am doing so on my own behalf. 
My views should not be attributed to Indiana University or to any other institution 
or person. 

The Importance of Consumer Concern 

The polling data, newspaper editorial pages, this summer’s referendum in North 
Dakota, and anecdotal evidence all suggest that consumers are concerned about per- 
sonal financial information and how it is accessed and used both by the Government 
and private industry. It is important to view this concern in context. 

The concern is not surprising, given the amount of press and political attention 
given privacy issues, the increased focus on privacy issues and the dramatic growth 
in privacy-related products and services by financial institutions, and the deluge of 
a billion or more privacy notices that financial institutions are required by Federal 
law to mail to their customers annually. 

When viewed in this context, I believe the existence of consumer concern is not 
only predictable but largely healthy: It tells us that consumers are paying more at- 
tention to important privacy issues, and are interested in how their privacy can be 
better protected. Given that many of the most effective privacy protections — espe- 
cially to guard against identity theft — are the steps that individuals alone can each 
take individually, this new interest is critical. 

The Absence of Consumer Action 

It is also important not to lose sight of the context of consumer action — as opposed 
merely to polls. Under the requirements of Gramm-Leach-Bliley, by July 1, 2001, 
tens of thousands of financial institutions had mailed approximately 1 billion no- 
tices. If ever consumers would respond, this would appear to be the occasion: The 
notices came in an avalanche that seems likely to have attracted consumer atten- 
tion, the press carried a wave of stories about the notices and about State efforts 
to supplement Gramm-Leach-Bliley’s privacy provisions, privacy advocates lauded 
the opt-out opportunity and offered online services that would write opt-out requests 
for consumers, and the information at issue — financial information — is among the 
most sensitive and personal to most individuals. 

Yet the response rate was negligible. The available published information indi- 
cates that fewer than 5 percent of consumers responded to the deluge of notices by 
opting out of having their financial information shared with third parties. For many 
financial institutions, the response rate was lower than 1 percent. And this appears 
to be consistent with response rates to other privacy-related opt-out opportunities, 
such as the Fair Credit Reporting Act’s opt-out provisions applicable to prescreening 
and sharing credit reports with affiliates; the Direct Marketing Association’s mail, 
telephone, and e-mail opt-out lists; and other company-specific lists. 

Before considering the adoption of new privacy laws, I would urge Congress to 
first consider why consumers do not take advantage of existing opportunities to re- 
strict the sharing or use of information. 

The Interference with Competing Desires 

Consumers’ concern about privacy protection must also be examined in the con- 
text of other consumer issues. Consumers want not only more privacy, but also 
lower rates on mortgages and loans, higher returns on CD’s and investments, and 
faster and more personalized service. Privacy laws can interfere with these other 
objectives, both by restricting the flow of information on which they depend, and by 
imposing high transaction costs on consumers and financial institutions alike. 

Restricting the Benefits of Open Information Flows 

Consider just a few of the many examples of the consumer benefits that depend 
on accessible information and that are threatened by more restrictive privacy laws. 
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Businesses and other organizations use personal information to identify and meet 
customer needs. According to Federal Reserve Board Governor Edward Gramlich: 
“Information about individuals’ needs and preferences is the cornerstone of any sys- 
tem that allocates goods and services within an economy.” The more such informa- 
tion is available, “the more accurately and efficiently will the economy meet those 
needs and preferences.” 1 

Information-sharing allows financial institutions to “deliver the right products 
and services to the right customers, at the right time, more effectively and at lower 
cost,” Fred Smith, Founder and President of the Competitive Enterprise Institute, 
has written. 2 The use of personal information to recognize and respond to individual 
customer needs is the definition of good customer service. Personalized service — 
epitomized by George Bailey, small-town banker played by Jimmy Stewart in “It’s 
a Wonderful Life” — is what many consumers want. The Los Angeles Times reported 
in December 1999, about customers who are understandably “irritated if the bank 
fails to inform them that they could save money by switching to a different type 
of checking account.” But, of course, as the newspaper noted, “to reach such a con- 
clusion, the bank must analyze the customer’s transactions. . . .” 3 

By having a complete picture of its customers’ financial situations, banks can offer 
them bundled services at a single lower price than if provided on an a la carte basis. 
Customers benefit in two ways: First, they are offered a range of diversified services 
that are most appropriate for their individual financial situations. Second, they get 
those services at a lower price. 

For example, a consumer may choose to link her mortgage loan with a checking 
or savings account at the lender’s affiliate, and thereby avoid minimum balance re- 
quirements for the checking or savings account, and enjoy the convenience of being 
able to arrange for direct deductions from a bank account to make the monthly 
mortgage payment. A financial services institution can aggregate all of a customer’s 
accounts to satisfy minimum balance requirements. It can make an instant decision 
whether to increase a credit line, based on its total relationship with the customer. 
Washington attorney L. Richard Fischer writes: “Information-sharing also enables 
financial institutions to offer consumers popular products such as ‘affinity’ or ‘co- 
brand’ credit card accounts. Such programs provide frequent flyer miles, grocery, or 
gasoline rebates, and other benefits to credit cardholders. Other such programs per- 
mit universities and other not-for-profit organizations to benefit from cardholder use 
of their accounts.” 4 

To provide all of these and other opportunities, access to data is essential. Laws 
restricting affiliate-sharing or requiring opt-in consent make the provision of these 
services untenable. How could an affinity program work if the card issuer and unaf- 
filiated partner could not share customer data? How could a lender accurately and 
rapidly judge the risk of increasing a customer’s credit line if it could not look at 
all of her accounts with affiliated companies? How would a financial services institu- 
tion identify appropriate candidates for debt consolidation, if it could not examine 
both the range of outstanding debts and homeownership or other relevant criteria? 

Information-sharing is especially critical for new and smaller businesses. By re- 
stricting the availability of information about their customers, privacy laws help to 
protect established businesses from competition. Laws designed to protect privacy 
act as barriers to that information- sharing, and therefore, writes Robert E. Litan, 
Director of the Economic Studies Program and Vice President of the Brookings In- 
stitution, “raise barriers to entry by smaller, and often more innovative, firms and 
organizations.” 5 

The Cost of Regulation 

There is also a financial cost to privacy regulation. We have already seen that a 
major component of that cost is caused by the interference of privacy laws with open 
information flows. Another source of that cost is the burden of complying with pri- 
vacy laws. Crafting, printing, and mailing the billion or more disclosure notices re- 
quired by Gramm-Leach-Bliley, for example, is estimated to have cost $2-$5 billion. 
Much of that cost will be repeatedly annually. 


1 Financial Privacy, Hearings before the Subcommittee on Financial Institutions and Con- 
sumer Credit of the House Committee on Banking and Financial Services, July 21, 1999 (state- 
ment of Edward M. Gramlich). 

2 Fred L. Smith, Jr., Better to Share Information, Desert News (Salt Lake City, UT), October 
14, 1999, at A22. 

3 Edmund Sanders, Your Bank Wants to Know You, The Los Angeles Times, December 23, 
1999, at Al. 

4 Financial Privacy Hearings, supra (statement of L. Richard Fischer). 

5 Robert E. Litan, Balancing Costs and Benefits of New Privacy Mandates, Working Paper 99- 
3, AEI-Brookings Joint Center for Regulatory Studies (1999). 
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More burdensome opt-in laws, as discussed below, would prove even more costly. 
During its opt-in test, U.S. West found that to obtain permission to use information 
about its customer’s calling patterns to market services to them cost between $21 
and $34 per customer, depending on the method employed. 6 

A 2000 Ernst & Young study of financial institutions representing 30 percent of 
financial services industry revenues, found that financial services companies would 
send out three to six times more direct marketing material if they could not use 
shared personal information to target their mailings, at an additional cost of about 
$1 billion per year. 7 

The study concluded that the total annual cost to consumers of opt-in’s restriction 
on existing information flows — precisely because of the difficulty of reaching cus- 
tomers — was $17 billion for the companies studied, or $56 billion if extrapolated to 
include the customers of all financial institutions. Those figures do not include the 
costs resulting from the reduced availability of personal information to reduce fraud, 
increase the availability and lower the cost of credit, provide co-branded credit cards 
and nationwide automated teller machine networks, and develop future innovative 
services and products. 

These costs do not include the increased burden to consumers of additional letters, 
telephone calls, and e-mails seeking consent: U.S. West had to call its customers an 
average of 4.8 times per household just to find an adult who could consent. 

The Special Problem of Opt-in 

The burden of privacy laws is even greater when they forbid the use of informa- 
tion without affirmative, opt-in consent. While both opt-in and opt-out give con- 
sumers the same legal control about how their information is used, the two systems 
differ in the consequences they impose when consumers fail to act. 

The U.S. Post Office reports that 52 percent of unsolicited mail in this country 
is discarded without ever being read. It will not matter how great the potential ben- 
efit resulting from the information use, if the request is not read or heard, it cannot 
be acted on. Corporate trials of consent-based privacy systems demonstrate that no 
matter how good the offer or how easy the opt-in or the opt-out method, customers 
rarely respond. 

Under opt-out, consumers like those under Gramm-Leach-Bliley who failed to 
read or respond to a privacy notice, still received services. Under opt-in, consumers 
who did not respond could not have their information used. By virtue of not re- 
sponding — whatever the reason — those subject to opt-in are excluded from receiving 
information-dependent services. Opt-in is more costly to consumers precisely be- 
cause it fails to harness the efficiency of having them reveal their own preferences 
as opposed to having to explicitly ask them. 

For a practical, specific example of the impact of opt-in on consumers, Michael 
Staten, an economist, Distinguished Professor, and Director of the Credit Research 
Center at Georgetown University’s McDonough School of Business, and I conducted 
a case study of MBNA Corporation, a diversified, multinational financial institution. 
Incorporated in 1981, and publicly-traded since 1991, by the end of 2000, the com- 
pany has experienced 40 consecutive quarters of growth, provided credit cards and 
other loan products to 51 million consumers, had $89 billion of loans outstanding 
and serviced 15 percent of all Visa/MasterCard credit card balances outstanding in 
the United States. 8 

The case study examined the impact of three forms of opt-in: (1) Opt-in for shar- 
ing personal information with third parties; (2) Opt-in for sharing personal informa- 
tion with affiliates; and (3) Opt-in for any use (other than statutorily excluded uses) 
of personal information. 

The study found that any form of opt-in would have significant economic effects 
on MBNA and its customers, because of the company’s extensive use of direct mar- 
keting to attract customers and its heavy reliance on personal information to iden- 
tify out of the 1 billion prospect names the company receives annually from its more 
than 4,700 affinity groups for which MBNA issues credit cards the 400 million 
names of people who are likely to be both qualified for and interested in a credit 
card solicitation. 

Given the low response rates to opt-in requests universally reflected by organiza- 
tions that seek consent other than at time of service or in response to a communica- 


6 Brief for Petitioner and Interveners at 15-16, U.S. West, Inc. v. FCC, 182 F.3d 1224, 1239 
(10th Cir. 1999) (No. 98-9518), cert, denied 528 U.S. 1188 (2000). 

7 Ernst & Young LLP, Customer Benefits from Current Information Sharing by Financial Serv- 
ices Companies 16 (December 2000). 

8 Michael E. Staten & Fred H. Cate, “The Impact of Opt-in Privacy Rules on Retail Credit 

Markets: A Case Study of MBNA,” Duke Law Journal (forthcoming 2002). 
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tion initiated by the customer, the case study concludes that even the least restric- 
tive opt-in regime — for third-party information-sharing — would result in the 
MBNA’s marketing materials being 27 percent less well targeted. As a result, 109 
million people would receive solicitations who should not have. This translates into 
an 18 percent lower response rate and a 22 percent increase in direct mail costs 
per account booked. There would also be an additional 8 percent reduction in net 
income because of increased defaults and reduced account activity, resulting from 
less qualified people receiving credit card solicitations. 

The broader opt-in regimes would result in more significant losses to MBNA and 
its customers, largely in three areas. First, MBNA’s affiliates would be unable to 
cross-sell services to existing customers or provide one-stop customer service, be- 
cause of the restriction of sharing information across affiliates. Second, MBNA’s cor- 
porate structure, which currently includes affiliates because of tax and regulatory 
reasons, would be less efficient and more expensive because centralized service units 
would no longer be able to provide services for all of the affiliates. Third, opt-in 
would interfere with fraud detection and prevention efforts which depend on infor- 
mation-sharing across affiliates and among companies. 

These costs would be incurred despite the fact that as of the end of 2000, only 
about 130,000 customers (one-quarter of 1 percent of MBNA’s customer base) had 
exercised their legal right to opt-out of having their credit report information trans- 
ferred across MBNA affiliates, and approximately 1 million customers (less than 2 
percent) had taken advantage of MBNA’s voluntary opt-out from receiving any type 
of direct mail marketing offers. 

The important point is not simply that complying with privacy laws is expensive, 
but rather that it imposes costs on consumers. Privacy polls rarely if ever ask con- 
sumers whether they are ready to bear that cost. But ultimately, it is consumers 
and individuals, in the words of Alabama Attorney General Bill Pryor, who “pay the 
price in terms of either higher prices for what they buy, or in terms of a restricted 
set of choices offered them in the marketplace.” 9 

The Bigger Context 

It is also important to evaluate consumer concerns about financial privacy in a 
broader context. Gramm-Leach-Bliley was passed in 1999 and the first notices were 
required to be mailed by July 1, 2001. Only 14 months has passed since that date, 
examinations of financial institutions under the new requirements are only now be- 
ginning, and enforcement has been limited. It is simply too early to judge meaning- 
fully how well the new system is working. 

Despite the short time, however, financial institutions have been busy working 
with Federal regulators, consumer advocates, and others attempting to improve 
their privacy notices and increase the effectiveness of consumer education. There 
was considerable criticism of the first round of Gramm-Leach-Bliley privacy notices, 
a key element of the law. While some of that criticism may be justified, the com- 
plexity of privacy notices seems in large part to have reflected the complexity of the 
law and regulations requiring them. Title V uses many terms that consumers would 
likely find confusing and that must be used precisely to make sense of the law’s 
requirements. For example, the law makes a significant distinction between “con- 
sumers” and “customers,” and this distinction was necessarily reflected in many 
notices, even though many people use the terms interchangeably. 

It should also be noted that clarity may be in the eye of the beholder. On June 
18, 2001, at a hearing on financial privacy of the California General Assembly’s 
Committee on Banking and Finance, the Committee Chairman challenged the finan- 
cial services industry representatives in the audience to live up to the standard set 
by American Express’ privacy notice. In fact, he distributed to every person attend- 
ing the hearing a copy of the American Express notice so that they could, in the 
Chairman’s words, use it as a “model.” Two weeks later, on July 9, 2001, USA 
Today editorialized in favor of clearer privacy notices, citing American Express’ no- 
tice — the same notice lauded only 2 weeks earlier — at its first example of a difficult 
to comprehend notice. 10 

As Federal Trade Commission Chairman Timothy Muris has noted, we are still 
learning: 

The recent experience with Gramm-Leach-Bliley privacy notices should 
give everyone pause about whether we know enough to implement effec- 
tively broad-based legislation based on notices. Acres of trees died to 
produce a blizzard of barely comprehensible privacy notices. Indeed, this is 


9 Bill Pryor, Protecting Privacy: Some First Principles, Remarks at the American Council of 
Life Insurers Privacy Symposium, July 11, 2000, Washington, DC, at 4. 

10 “Confusing Privacy Notices Leave Consumers Exposed,” USA Today, July 9, 2001, at 13A. 
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a statute that only lawyers could love — until they found out it applied to 
them. 11 

Today, regulators, industry, and consumers are learning from the emerging ex- 
perience with Gramm-Leach-Bliley, and are collectively improving the quality and 
variety of available privacy protections. The Hunton & Williams Center for Infor- 
mation Policy Leadership, for example, hosts a project in which leading financial in- 
stitutions are trying to develop layered notices — an approach that would make pri- 
vacy disclosures easier to understand and compare. The Federal Trade Commission 
has hosted a workshop on effective financial privacy notices, and is working with 
industry and privacy rights advocates to improve notices. The Commission is also 
pushing forward related privacy initiatives, including a national do-not-call list and 
increased privacy enforcement. 

Many financial services companies have also responded with privacy-related prod- 
ucts and services, or options for individuals to control the use of their information 
beyond what is required by law. Many financial services companies report today 
that they do not share personal nonpublic financial information about their cus- 
tomers with third parties. Some provide opportunities for customers to opt-out of 
information-sharing that is expressly permitted by Gramm-Leach-Bliley. Citicorp, 
Capital One, Visa, and American Express all advertise credit cards offering privacy- 
and security-related enhancements. Bank of America and other banks are openly 
competing for consumer business based on how privacy protective they are. Compa- 
nies are developing best practices for a variety of privacy protections; for example, 
Citigroup has released telemarketing best practices developed with State attorneys 
general. 

None of these developments is likely to prove a panacea for privacy protection, 
but their variety and the speed with which they are being developed suggest that 
they will afford consumers a greater choice of privacy alternatives than any law is 
likely to. Most importantly, there is virtually no evidence of tangible harms to con- 
sumers that are not already covered by Gramm-Leach-Bliley, the Fair Credit Re- 
porting Act, or some other financial privacy law. 

Consumers have understandable concerns about their privacy, and some adjust- 
ments to Federal financial privacy law may eventually prove necessary. But in the 
absence of evidence consumers being physically or financially harmed by unregu- 
lated uses of their personal financial information, the Congress has the time to wait 
to see how existing laws are working and to allow market responses to more fully 
mature. 


PREPARED STATEMENT OF JOHN C. DUGAN 

Partner, Covington & Burling 

ON BEHALF OF THE 

Financial Services Coordinating Council 
September 19, 2002 

My name is John Dugan, and I am a Partner with the law firm of Covington & 
Burling. I am testifying today on behalf of the Financial Services Coordinating 
Council (FSCC), whose members include the American Bankers Association, Amer- 
ican Council of Life Insurers, American Insurance Association, and Securities Indus- 
try Association. These organizations represent thousands of large and small banks, 
insurance companies, and securities firms that, taken together, provide financial 
services to virtually every household in America. I have represented the FSCC on 
financial privacy issues since the organization was formed in late 1999, and in that 
capacity I have advised on implementation issues involving the privacy provisions 
of the Gramm-Leach-Bliley Act (GLB Act) and related regulations; participated in 
the Federal Trade Commission’s interagency task force on notices; helped coordinate 
our task force devoted to improvements in privacy notices; and testified on a num- 
ber of occasions before the Congress and State legislatures on GLB Act issues and 
various financial privacy legislative proposals. 

The FSCC appreciates the opportunity to testify before this Committee on the sta- 
tus of financial privacy regulation, in our case from the perspective of the financial 
services industry. Our testimony focuses on: (1) the balance Congress struck in the 
Gramm-Leach-Bliley Act (GLB Act); (2) our experience with implementing the Act, 


11 Timothy J. Muris, Protecting Consumers’ Privacy: 2002 and Beyond, 2001 Conference, 
Cleveland, OH, October 4, 2001. 
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including the reaction of our customers; (3) our views on the appropriate relation- 
ship between Federal and State privacy laws; and (4) some thoughts going forward. 

The Balance Struck in the GLB Act 

Every commercial privacy law strikes a balance between protecting the privacy 
interests of consumers and preserving the clear consumer benefits that arise from 
the free flow of information in the economy. While consumers expect limits on the 
disclosure of their information, they also expect companies to provide them with 
benefits that can only be provided through information-sharing. For example, a 
loyal, long-time depositor in a bank wants and expects to receive a discount on a 
mortgage loan offered by a related mortgage company affiliate, and such “relation- 
ship discounts” can only be provided through information-sharing. Privacy laws try 
to balance these competing consumer expectations. 

In terms of financial privacy, we believe that Congress struck the right balance 
in 1999 when it adopted the privacy provisions of the GLB Act against the backdrop 
of the preexisting privacy protections provided by the F air Credit Reporting Act and 
other Federal and State statutes. Through exceptionally broad definitions, the GLB 
Act’s protections apply to virtually all personal information held about the indi- 
vidual consumers of more than 40,000 financial institutions in this country — includ- 
ing less traditional “financial institutions” such as check cashers, information 
aggregators, and financial software providers. Coupled with protections mandated 
by the Fair Credit Reporting Act (FCRA), these consumers now must be provided: 

• Notice of the institution’s practices regarding information collection and disclo- 
sure, which must be clear, conspicuous, and updated each year. 

• Opt-Out Choice regarding the institution’s sharing of information with non- 
affiliated third parties, and in certain instances, with affiliates. 

• SECURITY in the form of mandatory policies, procedures, systems, and controls to 
ensure that personal information remains confidential. 

• Protection against inappropriate redisclosure or reuse of personal infor- 
mation that is shared with third parties. 

• Enforcement of privacy protections via the full panoply of enforcement powers 
of the agencies that regulate financial institutions, for example, the Federal bank 
regulators, the Securities and Exchange Commission, State insurance authorities, 
and the Federal Trade Commission. 

In addition to these protections, customers of financial institutions that handle 
personal health information, for example, insurance companies, receive the exten- 
sive privacy protections of Federal and State medical privacy laws. Taken together, 
the FSCC believes that this set of provisions forms the most comprehensive set of 
privacy protections that has yet been implemented in the United States. 

We recognize that these protections are not as restrictive as some would have 
wanted, including some of the witnesses on today’s panel. But by any measure, com- 
pared to 3 years ago consumers have much more meaningful information, choice, 
and security regarding the way that financial institutions handle their personal in- 
formation. 

At the same time, the GLB Act appropriately allows financial institutions to share 
information with others for a variety of plainly legitimate purposes without separate 
consumer consent, that is, to carry out transactions requested by the consumer, to 
deter and detect fraud, to respond to regulators and judicial process, etc. While 
many of these “doing business” exceptions were viewed suspiciously by critics at the 
time the Act was passed, they have proven to be sensible and noncontroversial pro- 
visions covering sharing for which consumer consent is simply inappropriate. 

The FSCC also continues to support Congress’ decision to treat information-shar- 
ing by companies under common control in the same manner as sharing within a 
single institution; both are situations in which the GLB Act’s opt-out requirement 
does not apply. The fact is that many financial institutions operate through affili- 
ated financial entities, often with very similar names, rather than through divisions 
of a single institution. For purposes of the opt-out, Congress sensibly elected to ig- 
nore such artificial separations and treat affiliates as part of a single organization 
rather than as entirely distinct entities. This decision reflected the fact that con- 
sumers are unlikely to distinguish between, for example, a community bank and the 
community bank’s affiliated mortgage lending company. Instead, consumers are 
likely to expect that both affiliates are part of a single community banking organi- 
zation where information is shared within that corporate family. The decision also 
reflected the fact that the sharing of sensitive credit and insurance application infor- 
mation with affiliates is already subject to an opt-out requirement under the Fair 
Credit Reporting Act. 
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Finally, we also continue to believe that Congress made the right choice in requir- 
ing that a financial institution provide its consumers with the right to opt-out of 
the financial institution’s sharing of the consumers’ personal information with third- 
party commercial companies. This decision reflected the view that the sharing of 
personal information with such nonaffiliated third parties (other than for the excep- 
tions described above) is different in nature than sharing information with compa- 
nies within a corporate family or with financial institution marketing partners — and 
that it is sufficiently different from consumer expectations that a consumer should 
be given the choice to opt-out of such sharing. 

In making this choice, however, Congress rightly rejected an opt-m approach, 
because there is a fundamental flaw with the way such requirements work. Opt-in 
provisions deprive consumers of benefits from information-sharing (such as the 
depositor’s relationship discount on a mortgage loan described above), because con- 
sumers rarely exercise opt-in consent of any kind — even those consumers who would 
want to receive the benefits of information-sharing if they knew about them. In es- 
sence, an opt-in creates a “default rule” that stops the free flow of information. This 
in turn makes the provision of financial services more expensive and reduces the 
products and services that can be offered, which actually frustrates consumer expec- 
tations. In contrast, an opt-out gives privacy-sensitive consumers just as much 
choice as an opt-in, but without setting the default rule to deny benefits to con- 
sumers who are less privacy-sensitive. 

Implementation of the GLB Act 

The privacy provisions of Gramm-Leach-Bliley were enacted in 1999, and financial 
institution regulators subsequently issued detailed privacy regulations that became 
effective just over a year ago. This appears to be the first time that the Federal Gov- 
ernment has implemented such a comprehensive commercial privacy regulatory 
regime affecting such an important sector of the Nation’s economy. In a sense, fi- 
nancial institutions have been the “guinea pigs” for this process, and much has been 
learned by both the regulators and our industry. 

The implementation process has been massive, involving eight Federal regulators, 
51 State insurance regulators, and over 40,000 financial institutions. Companies 
have conducted detailed auditing of their information practices; developed and 
issued over 2.5 billion privacy notices; established new compliance systems; trained 
personnel; and reconfigured systems to handle and monitor consumer opt-outs. 

Financial institutions have also upgraded their already extensive security policies, 
procedures, and systems to comply with the security mandates of the Act. For exam- 
ple, company employees with access to confidential customer information are often 
required to adhere to many different types of procedures designed to protect the 
physical security of that information, including disclosing information to other em- 
ployees only on a “need to know” basis; locking confidential files and clearing desks 
before going home; and using special passwords to access information. In addition, 
some companies control access through use of security systems and computing plat- 
forms, where users are authenticated by means of logon identifications and/or secret 
passwords. In some cases digital certificates are also used for purposes of authen- 
tication and nonrepudiation; access control lists limit levels of access based on job 
employee functions; and formal data classification schemes ensure that sensitive 
data is stored only on secure platforms. These are just a sample of the many steps 
that firms are taking in the security area. 

In short, while tremendous progress has been made, GLB implementation is still 
very much a work in progress, and financial institutions continue to learn, adjust, 
and improve their privacy and security practices over time. One thing is certain, 
however: As the result of the Gramm-Leach-Bliley’s notice, choice, and security 
requirements, financial institution customers are far more privacy and security-pro- 
tected than they were 3 years ago, and far more protected than the customers of 
most other types of companies. We believe that consumers have responded favorably 
by continuing to put their trust in the companies that handle their financial assets 
and their financial needs. 

Indeed, despite generic polls showing that consumers remain concerned about 
their privacy, financial institutions have received a minuscule number of customer 
complaints about the GLB Act procedures or other privacy concerns. The same is 
true of financial regulators. For example, in response to a Freedom of Information 
Act request regarding all financial institution complaints received in 2001, the Fed- 
eral Reserve reported that it had received only 25 privacy-related complaints out of 
the 4,503 complaints it received, or .0056 percent of the total, with similarly low 
numbers reported by the Office of Thrift Supervision (6 of 4,921, or .0012 percent), 
Federal Deposit Insurance Corporation (137 of 6,849, or .02 percent), and Office of 
the Comptroller of the Currency (368 of 17,228, or .0214 percent). 
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In addition, most financial institutions do not share information with third par- 
ties, such as commercial companies, in a way that triggers the need for the GLB 
Act opt-out requirement. For example, roughly 89 percent of a recent sample of ap- 
proximately 400 banks conducted by the American Bankers Association did not 
share information in this way. For those institutions that do share with third par- 
ties in a way that requires providing the opt-out to consumers, the opt-out rates 
have generally been low, and in nearly all cases under 10 percent. The FSCC 
strongly disagrees with those who suggest that low opt-out rates mean that the GLB 
process is not working. To the contrary, our members believe that the low rates 
show that consumers trust their financial institutions to share their information in 
an appropriate manner, or that they are less sensitive to privacy concerns than has 
been suggested. 

Based on initial implementation experience, the FSCC recognizes that the privacy 
notices constitute one area in which improvements can be made. This is by no 
means as easy as it sounds, however, because the notice requirements of the GLB 
Act are quite detailed. The financial institution regulators tried hard to simplify 
these requirements in their implementing regulations, including through the use of 
sample clauses, and they told institutions that a notice complying with the GLB Act 
could fit on a six-page, “tri-fold” brochure. In their first round of notices, financial 
institutions generally took this approach and used the sample clauses, while at the 
same time carefully scrubbing the language to ensure compliance will all require- 
ments of the statute and regulations. 

Proceeding this way was absolutely necessary to ensure that the notices satisfied 
the regulators’ “clear and conspicuous” requirement and minimized exposure to legal 
liability. Indeed, the regulators have challenged very few privacy notices as failing 
to comply. Nevertheless, a six-page notice is not short, and language from the sam- 
ple clauses such as “nonaffiliated third-party” and “nonpublic personal information” 
are obviously the type of “legalese” that some consumers and critics have found dif- 
ficult to understand. 

Unfortunately, financial institutions now find themselves in a bit of a “Catch-22.” 
They spent hundreds of millions of dollars to carefully develop the first round of 
compliant notices and mail them to consumers, and financial institution consumers 
received more information about company privacy practices than consumers of vir- 
tually any other industry in the country. Yet these very same notices, because of 
their length and use of legalistic terms suggested by the regulations, have received 
a great deal of negative attention in the media. 

To address these concerns, the financial services industry is proceeding down two 
paths simultaneously. First, a number of institutions have simplified the language 
used in their second round of annual privacy notices, though carefully so as not to 
stray from the requirements of the regulation. We believe the second round of no- 
tices will be more “user friendly” than the initial notices. 

Second, both financial institutions and their regulators have focused on the idea 
of exploring a simplified “short-form” version of the notice that would supplement, 
but not replace, the longer “legal notice” required by the GLB Act and regulations. 
The FTC convened an interagency and industry workshop to discuss this and other 
notice issues, and industry efforts are underway to examine the short-form concept 
more carefully. The basic idea of the short-form notice is to use simplified terms, 
be much less legalistic than the longer notice, keep the length to one page, and use 
common language that would make it easier for consumers to compare institution 
privacy policies over time. 

The FSCC is leading a project on the short-form notice. We have convened a task 
force representing a cross-section of institutions from the banking, insurance, and 
securities industries; hired a well-known language expert to advise on short-form 
issues; and have nearly completed the initial drafting phase of several possible 
alternatives. 

While we believe this project is promising, it is by no means simple, as I men- 
tioned previously. There is no true “one-size-fits-all” solution, because institutions 
have different privacy practices that call for different types of disclosures. 

Relation Between Federal and State Privacy Laws 

There seems to be a great deal of misunderstanding about Gramm-Leach-Bliley’s 
effect on State privacy laws, as well as on the amount of State legislative action 
that has occurred on financial privacy issues generally. On the first point, Section 
507 of the GLB Act makes clear that its privacy provisions would not preempt any 
State law in effect simply because the State law affords greater privacy protections 
to consumers than the Act’s provisions. Of course, this provision by its terms does 
nothing to limit the preemptive effect of any other Federal statute, specifically in- 
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eluding the Fair Credit Reporting Act’s preemption provision that applies to State 
law restrictions on affiliate information-sharing. 

Some State legislators seemed to interpret Section 507 as an affirmative invita- 
tion by the Federal Government to the States to adopt more restrictive financial pri- 
vacy laws than Gramm-Leach-Bliley. This interpretation spawned a great deal of 
State legislative interest in new financial privacy laws immediately after passage 
of the GLB Act in 1999. The FSCC and numerous other representatives disagreed 
with that interpretation and testified to that effect before a number of State legisla- 
tures. Our position consistently has been that there was no such Federal invitation 
for States to act in Gramm-Leach-Bliley; that States should not rush to act before 
the GLB Act has been fully implemented and given a chance to work; and that a 
patchwork, uneven body of differing State privacy regulation would be extremely 
costly and counterproductive. In short, we believe that a single uniform standard 
in Federal law is the most appropriate method for regulating financial privacy. 

This leads me to the second point of confusion. While there has been a flurry of 
activity and debate at the State level in the wake of passage of the GLB Act in 
1999, during this period no State legislature has adopted a comprehensive financial 
privacy statute that has exceeded the obligations of the GLB Act. Nearly 40 States 
considered such privacy legislation in 2000, but no such statute was enacted. About 
half that number revisited the issue in 2001, again without final action. And this 
year, only California has come close to enacting a new privacy law, but for the third 
time in 3 years, the legislature has chosen not to act. 

We recognize that North Dakota first chose to conform a preexisting bank privacy 
opt-in law to the limits of Gramm-Leach-Bliley, only to have an initiative restore 
the preexisting law. In addition, regulators (but not legislatures) in New Mexico and 
Vermont have issued additional financial privacy regulations (though the Vermont 
legislature had earlier rejected an effort to increase financial privacy restrictions, 
and a lawsuit has been filed to challenge the Vermont regulation as beyond the 
scope of Vermont statutory authority). But taken together, these few actions simply 
do not constitute a groundswell of State action to impose more restrictive financial 
privacy regulation. 

To the contrary, with the notable exception of California, the State focus on finan- 
cial privacy legislation has diminished considerably over time since the GLB Act 
was enacted. The FSCC believes this is due in large part to an increased under- 
standing that: (1) The Gramm-Leach-Bliley protections are substantial and need to 
be given a chance to work before States decide to act further; and (2) it is not nearly 
as easy as it seems at first blush to adopt financial privacy restrictions without 
causing unintended consequences that increase costs and deprive consumers of real 
benefits. 

Actions in the Future 

The Gramm-Leach-Bliley’s privacy protections are real, and the implementation, 
adjustment, and enforcement process is ongoing. This is not to say that improve- 
ments cannot be made, however. In particular, the FSCC believes that the process 
for improving privacy notices is well worthwhile, and we plan to pursue that process 
actively in the coming months, both within the industry and with our regulators. 

In terms of Federal legislation, we believe that any additional action that Con- 
gress considers with respect to privacy issues should be targeted to specific harms 
rather than take the form of sweeping data protection restrictions. If the harm to 
consumers is identity theft, then the focus of legislation should be on deterring and 
remedying that problem specifically. Similarly, if consumers are most concerned 
about excessive telemarketing calls resulting from information-sharing, then we be- 
lieve that solutions should address that issue specifically. To do otherwise by impos- 
ing broad restrictions on information use and sharing: (1) May do little to solve the 
specific harms at issue; and (2) may have very negative unintended consequences. 
Accordingly, the FSCC stands ready to work with this Committee and other public 
policymakers to address specific consumer harms. 

In this regard, however, the FSCC could not support any new financial privacy 
legislation that did not include Federal preemption to ensure a uniform national pri- 
vacy standard. The FSCC has similar concerns with respect to the FCRA provision 
that preempts State restrictions on affiliate-sharing, but is scheduled to sunset by 
the end of 2003. The FSCC supports extending the sunset, as we believe that the 
uniform national affiliate-sharing provision has allowed financial institutions to 
serve their customers in the most efficient manner possible. 

Thank you for allowing me to present the views of the FSCC today. I would be 
happy to answer any questions. 
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September 19, 2002 

I appreciate the opportunity to address the Senate Committee on Banking, Hous- 
ing, and Urban Affairs on the critical issue of protecting the privacy of our citizens’ 
financial information. This Committee has taken a leading role in the challenge to 
protect consumer financial privacy. I commend the bipartisan efforts of Senators 
Sarbanes and Shelby in addressing these issues. 

Unfortunately, Title V of the Gramm-Leach-Bliley Act (GLBA) is not working to 
protect consumers from the misuse of their financial information. The Act has con- 
fused consumers, provided a green light to the unauthorized sharing of personal 
financial data as part of misleading telemarketing campaigns, and is riddled with 
loopholes that exempt many business practices from any control. I will focus my 
remarks on three aspects of GLBA: (1) The opt-out provisions in Section 502(b); (2) 
the limitations on sharing of account numbers in Section 502(d); and (3) the favor- 
able preemption standard in the Sarbanes Amendment, Section 507. While the al- 
leged consumer “protections” in Section 502 have proven of limited value in pro- 
tecting consumers, Section 507 is an important part of GLBA that may ultimately 
provide various State models for how to more fairly balance the needs of business 
with the privacy rights of consumers. 

Opt-Out Is Ineffective To Protect Consumers 

The opt-out system is not an effective means of protecting consumer financial pri- 
vacy. It puts the burden on consumers to look for the privacy notices, read and at- 
tempt to understand them, and then take affirmative action to halt the sharing of 
their nonpublic personal information with nonaffiliated third parties, such as tele- 
marketers. This system is contrary to how consumers act in the marketplace and 
what consumers expect from Government efforts to remedy the imbalance of power 
in the marketplace. Businesses that want to share personal financial information 
should do no more and no less than is required in any consumer transaction — obtain 
prior express consent of the consumer; in other words, opt-in to the deal. 

The current system does more to confuse than to assist consumers. The opt-out 
notices flooding consumers’ mailboxes have been a boon for the printing and postal 
industry, but they have not meant much for the typical consumer. The notices are 
dense and impenetrable. Even the most educated and persistent of consumers would 
have a hard time deciphering statements such as “we may disclose [information tol 
. . . carefully selected business partners (that is, so they can alert you to valuable 
products and services)” 1 to mean the financial institution will allow telemarketers 
to charge your credit card account without obtaining a signature or account number 
from you. The ineffectiveness of the notice and opt-out procedure has been thor- 
oughly documented. 2 

GLBA Limitations On Account Number Sharing Have Had No 
Meaningful Impact On Preacquired Account Telemarketing Abuses 

Each year, American consumers experience millions of dollars of unauthorized 
charges on bank, credit card, mortgage, and other accounts as a direct result of fi- 
nancial institutions sharing personal financial data. Despite an attempt at appear- 
ing to address this concern, &LBA has had no effect on the problem. In fact, GLBA 
may have inadvertently acted to legitimize financial institutions’ participation in 
data-sharing practices that result in deceptive telemarketing practices. 

Preacquired Account Telemarketing Abuses 

Financial institutions sell to telemarketers the names, phone numbers, and other 
information about their customers along with the right to charge the accounts of 
those customers. Telemarketers use this charging authority to call consumers with 
a “free trial” or “no risk” offer for services like travel membership clubs and credit 
card protection insurance. The telemarketer, because it has the ability to directly 
charge the account, never obtains an account number, a signature, or any other 
traditional evidence of consent from the customer. This sales practice, known as 


*A11 Exhibits held in Committee files. 

1 See http .7 / www.capitalone.com/indexn.nhp. 

2 See Mark Hochhauser, Ph.D., Lost in Fine Print II: Readability of Financial Privacy Notices, 
Privacy Rights Clearinghouse, May 2001, available at http://www.privacyjights.org/arlGLB- 
Reading.htm. The eight Federal agencies that issued regulations implementing GLBA held a 
workshop in December 2001, that also documented consumer misunderstanding and noncompre- 
hension of the notices. See http .7 / www.ftc.gov / bcp / workshops / gib / index.html. 
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preacquired account telemarketing, has led to a constant and heavy flow of com- 
plaints to Attorneys General and other consumer protection agencies. 

Preacquired account telemarketing is inherently unfair and causes deception and 
abuse, especially with elderly and vulnerable consumers. This sales practice turns 
on its head the normal procedures for obtaining consumer consent. Other than for 
a cash purchase, providing a signature or an account number is a readily recogniz- 
able means for a consumer to signal assent to a deal. Decades of consumer edu- 
cation have made many consumers aware that disclosing their account number may 
result in unexpected charges. The corollary to this is that many consumers believe 
that as long as they do not disclose their account number, no charge can be made 
on the account. Preacquired account telemarketing exploits this belief. 

When financial institutions share with the telemarketer the information needed 
to directly charge a customer’s account, it removes these short-hand methods of con- 
sumer control over consent to a purchase. Preacquired account telemarketing strips 
the consumer of control over the transaction and exploits the belief that being care- 
ful about disclosing an account number provides protection. The telemarketer not 
only establishes the method by which the consumer will provide consent, but also 
decides whether the consumer actually consented. 

Our Office has brought a series of cases exposing this practice. 3 Fleet Mortgage 
Corporation, for instance, entered into contracts in which it agreed to charge its cus- 
tomer-homeowners for membership programs and insurance policies sold using 
preacquired account information. If the telemarketer told Fleet that the homeowner 
had consented to the deal, Fleet added the payment to the homeowner’s mortgage 
account. Angry homeowners who discovered the hidden charges on their mortgage 
account called Fleet in large numbers. 4 A survey taken by Fleet of its customer serv- 
ice representatives is attached as Exhibit A. It showed that customers overwhelm- 
ingly told Fleet that they did not sign up for the product, and wanted to know how 
it was added to their mortgage accounts without their approval, consent, or signa- 
ture. Fleet’s employees shared the resentment of these consumers, with comments 
such as “unethical for Fleet to add [optional insurance] without my permission;” 
“[homeowner] knows they are being slammed w/ ins they never authorized (and) 
thinks unethical & bad business by us ... I agree with the customer;” and “they 
feel this is fraud. . . . It is a scam.” 5 

The number of financial institution customers affected by this sales practice is 
staggering. An investigation of a subsidiary of one of the Nation’s largest banks re- 
vealed an extraordinary number of complaints of unauthorized charges. During a 13 
month period, this bank processed 173,543 cancellations of membership clubs and 
insurance policies sold by preacquired account sellers. Of this number of cancella- 
tions, 95,573, or 55 percent, of the consumers stated “unauthorized bill” as the rea- 
son for the request to remove the charge. 6 

The frail elderly, consumers who speak English as a second language, and other 
vulnerable groups are especially at risk with preacquired account telemarketers. A 
review of randomly selected sales of one preacquired account telemarketer inves- 
tigated by our Office showed 58 percent of customers whose accounts were charged 
were over 60. Sellers continually use preacquired account telemarketing to sell 
elderly consumers membership clubs, magazines, and other products for which they 
have no possible use. Examples from our Office’s investigations of telemarketers 
using preacquired billing information include the following: Charges to the credit 
card of an 85-year old man with Alzheimer’s; charges to the credit card of a 90-year 
old woman who asked to “quit this” and said “sounds like a scam to me;” charges 


3 State of Minnesota v. U.S. Bancorp, Inc., Case No. 99—872 (Consent Judgment, D. Minn. 
1999); In The Matter of Dam ark International, Inc., Case No. C8— 99— 1038 (Assurance of Dis- 
continuance, Damsey Cty. Ct. 1999); State of Minnesota v. Memberworks, Inc., Case No. MC99- 
010056 (Consent Judgment, Hennepin Cty. Dis. Ct. 2000); State of Minnesota v. Fleet Mortgage 
Corporation, 158 F.Supp.2d 962 and 181 F.Supp.2d 995 (D. Minn. 2001) (Consent Judgment, D. 
Minn. 2002). 

4 Approximately one-fifth of all calls by Fleet customers were about these preacquired account 
charges. The mortgage statements issued by Fleet hid the charges under the rubric “opt. prod.” 
(optional product) at the very bottom of the bill in small print, such that it was extremely dif- 
ficult to discover the charge or discern the purpose of the charge. For consumers on auto-draft 
from their checking or other bank account, Fleet gave no written notice of the charge. 

5 As a result of a settlement of our Office’s case against Fleet Mortgage Corporation, its cus- 
tomers were given the opportunity to request a refund of charges for membership programs sold 
through preacquired account telemarketing. Over 72 percent of the customers currently being 
charged for such a program returned a form requiring a refund of charges, stated that they did 
not authorize the charge, and asked to have the program cancelled. 

6 The other primary reason given for cancelling (by 56,794 customers, or 32 percent of the 
total) was a general “request to cancel” code that may have also included many consumers 
claiming unauthorized charges. 



64 


to the credit card account of an Hispanic man who says “no se es” in response to 
a telemarketer’s question; and charges to the bank checking account of an impaired 
90-year old man who did not believe he consented to the charge. Attached as Exhibit 
B is a letter from a Legal Aid attorney listing a variety of useless and expensive 
membership clubs charged to the credit card of a retired church janitor in his late 
80’s. The janitor was charged for a home protection plan even though he lived in 
a nursing home; an auto club membership even though he had no car; a dental plan 
even though he already had coverage; and a credit card security plan even though 
Federal law already protected him from theft of a credit card. 

These are just a few of the substantial number of consumer complaints our Offices 
have received about this sales practice. In fact, this Office receives as many com- 
plaints about these practices post-GLB as it did before enactment of the law. 

GLBA Has Had No Impact On Preacquired Account Telemarketing Abuses 

GLBA has not changed the involvement of financial institutions in preacquired 
account telemarketing, and the abuses continue to occur. All 50 State Attorneys 
General recently filed comments with the Federal Trade Commission (FTC) stating 
that consumer complaints and State consumer protection enforcement actions 
against preacquired account telemarketers have continued without significant 
change after passage of the GLBA. The reason is not hard to discern. 

GLBA, in Section 502(d), prohibits a financial institution from disclosing, “other 
than to a consumer reporting agency, an account number or similar form of access 
number or access code for a credit card account, deposit account, or transaction ac- 
count of a consumer to any nonaffiliated third-party for use in telemarketing, direct 
mail marketing, or other marketing through electronic mail to the consumer.” Thus, 
Section 502(d) prohibits the practice by financial institutions of providing the credit 
card numbers of its customers to nonaffiliated third-party telemarketers. When sell- 
ers of magazines, membership clubs, insurance programs, and other services solic- 
ited the financial institutions’ customers via telemarketing calls, the customers were 
never asked to recite their credit card numbers because the sellers already had the 
numbers on hand with the capability to send through a charge. 

After Section 502(d) of GLBA was enacted, however, the Federal banking agencies 
promulgated rules that permitted financial institutions to continue sharing account 
numbers with third-party sellers as long as they were in encrypted form. As a result 
of this Rule, the practices of financial institutions and their third-party sellers have 
remained the same. Financial institutions may share encrypted or randomly gen- 
erated reference numbers for their customer’s accounts with third-party sellers. 
These sellers can still send through charges to consumers’ accounts without con- 
sumers giving their credit card numbers. The encrypted numbers are simply 
decrypted by the financial institution and the charges are put directly on the con- 
sumer’s account. This allows preacquired account telemarketing process to con- 
tinue — legally and unimpeded. Unscrupulous telemarketers can still cause a charge 
to a consumer’s account even when a consumer says “no” to the sale, or simply be- 
lieves he or she is trying out a free trial offer. 

The essential characteristic of preacquired account telemarketing is the ability of 
the telemarketer to charge the consumer’s account without traditional forms of con- 
sent — for example, paying cash, providing a signature, or providing a credit card or 
bank account number. The key is how the agreement between a company controlling 
access to a consumer’s account and the telemarketer who preacquires the ability to 
charge a consumer’s account affects the bargaining power between that tele- 
marketer and the consumer. GLBA, as interpreted in implementing regulations, 
does not address this relationship. 

GLBA’s Favorable Preemption Language Is Critical To Future 
Consumer Privacy Protections 

Although Title V of GLBA has done little to address the privacy needs of financial 
institution customers, the Sarbanes Amendment, Section 507, offers the best hope 
to secure protections for consumers. It is imperative that GLBA retain favorable 
preemption standards for State legislation. 

State legislatures have taken or considered a variety of approaches to protecting 
consumer information. North Dakota voters recently reinstated an opt-in approach 
to consumer financial information that had previously been in effect. California’s 
legislature has alternately passed and seriously considered various consumer pri- 
vacy initiatives. The Minnesota Senate has passed an opt-in financial privacy bill. 

State privacy initiatives have been the subject of enormous industry legislative 
pressure. In an article entitled, “Lobbyists Swarm to Stop Tough Privacy Bills in 
States,” The Wall Street Journal reported on the “regimented lobbying forces of the 
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Old Economy” that have opposed such measure. 7 Despite this intense effort, State 
privacy bills continue to advance in State legislatures. Proposed revisions to GLBA 
that would preempt such State action would be the death knell for meaningful re- 
forms to protect consumers against misuse of their personal financial information. 

Conclusion 

I thank the Committee for its consideration. Consumer protection efforts in the 
area of financial privacy are in a beginning stage of development. Title V of GLBA 
has not adequately protected the privacy of the average citizen. I hope that the Con- 
gress will support the continuation of State legislative efforts at meaningful reform 
of our privacy laws. 


PREPARED STATEME N T OF JAMES M. KASPER 

Representative North Dakota House of Representatives 

September 19, 2002 

Chairman Sarbanes and Members of the Senate Committee on Banking, Housing, 
and Urban Affairs. Thank you for the opportunity to share my views on financial 
privacy and consumer protection. 

Background 

I am a first term member of the North Dakota House of Representatives and I 
am considered a conservative in my State of North Dakota. I have been active in 
political affairs for over 20 years in North Dakota. I believe I bring a unique per- 
spective to the financial privacy issues as my business career is in the financial 
services industry. I am an independent licensed insurance and securities broker, 
and my practice is in the area of employee benefits plans and business insurance 
planning. My entire career has been spent in Fargo, North Dakota, with the excep- 
tion of 1 year in Minneapolis, Minnesota. Because North Dakota law has allowed 
banks to sell insurance for many years, I have competed with banks this entire 
time, and have a very good understanding of how they compete and what their mar- 
keting practices are. 

My First Legislative Term — 2001 

Little did I realize that in my first Legislative session, beginning in January of 
2001, a great deal of my time would be spent attempting to stop North Dakota 
banks from changing the very protective financial privacy law that North Dakota 
has had in effect since 1985. North Dakota privacy law protects not only consumer 
transactions, but all business and commercial transactions as well. Our bank pri- 
vacy law, enacted in 1985, prohibited the sharing and sale of consumer information 
to anyone, affiliates and nonaffiliates, for any reason. In today’s vernacular, we had 
a No-Opt for affiliates and a No-Opt for nonaffiliates. In 1997, the banking lobbyists 
quietly amended ND law to allow affiliate-sharing of information, so the banks in 
ND could legally share confidential information with their affiliates, without con- 
sent. Many citizens feel this needs to be addressed in our 2003 Legislative Session. 

National Strategy of Banking Industry 

As you know, the Gramm-Leach-Bliley Act (GLB) was passed by the Congress, 
with an implementation date for Title V of GLB of July 1, 2001. GLB deregulated 
the financial services industry and allows banks, insurance companies, and securi- 
ties companies to have common ownership and to market each other’s products. It 
is my understanding that two organizations, the Financial Roundtable and the Fi- 
nancial Services Coordinating Council, have targeted all States that have a more 
protective privacy law than the minimum requirements of GLB, to eliminate those 
States’ privacy laws. They seem to be determined to stop any State Legislature from 
enacting any privacy laws that are more protective of consumer privacy than GLB 
and also to repeal any State privacy laws that are more protective than GLB. 

ND Banks Work to Repeal ND Privacy Law in 2001 Legislative Session 

To accomplish the bankers national goals required the repeal of our 1985 North 
Dakota privacy law. Therefore, the North Dakota Bankers Association, the North 
Dakota Independent Bankers Association and the North Dakota Credit Union Asso- 
ciation had Senate Bill 2191 (SB 2191) introduced in the North Dakota Senate. This 


7 Zimmerman, R. and Simpson, G., “Lobbyists Swarm to Stop Tough Privacy Bills in States,” 
The Wall Street Journal (April 21, 2000). 
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bill’s intent was to repeal our 1985 North Dakota privacy law, and replace it with 
the GLB definitions of privacy, thus reducing ND citizen’s privacy protections. 

Senate Bill 2191 passed the ND Senate, in February 2001, and was assigned to 
the House of Representatives Industry, Business, and Labor Committee, of which 
I am a member. When I became aware of the intent of SB 2191, I made the decision 
to work to kill the bill. For 30 years, I have competed against the banks in ND and 
I have seen how they use credit leverage to obtain sales and to eliminate competi- 
tion. I had also learned how people’s personal and confidential financial information 
is being gathered all over the country, fed into huge computer data bases, and how 
consumer profiles of the citizens of our Nation are developed and sold to tele- 
marketing companies. I believe these practices need to be stopped. I also believe 
they may be unconstitutional. 

The banks focused all of their power in the ND House to pass SB 2191. They had 
3 full-time lobbyists at the capitol for about 6 consecutive weeks. The Credit Unions 
had two full-time lobbyists. Additionally, representatives of Wells Fargo, U.S. Bank, 
and other large banks, made numerous visits to most of the Legislators and almost 
every one of the Legislators had personal visits from their local bankers. All of these 
lobbyists were urging the Legislators to support SB 2191. Their reasons were quite 
interesting: 

The Banks and Credit Unions Used the Following Arguments in Support of 
SB 2191 in North Dakota: 

• “North Dakota needs to pass SB 2191 to adopt GLB in North Dakota law, so we 
will be in compliance with GLB.” We know this is not correct, because GLB is the 
law in all States, but does specifically allow State privacy law to supercede GLB, 
if the State law provides greater privacy protection for consumers than GLB. 

• “North Dakota will experience job loss, if we do not pass SB 2191.” Many of us 
believe the opposite is true. Because ND privacy law provides protection for all 
financial transactions, including businesses, ND could actually attract business 
and gain jobs, due to our privacy laws. 

• “North Dakota will experience negative economic development if we do not pass SB 
2191. Businesses won’t want to come to ND if we do not have the GLB privacy 
definitions in our law. It will be too expensive and too onerous to do business in 
ND.” Again, this argument was not correct. If a business does not have to waste 
its time to Opt-Out, business expenses are reduced. With a No-Opt law, a busi- 
ness will not need to use any of its resources to track its privacy records, because 
there are none to track. 

• “We do not want North Dakota to be the only State in the Nation, an ‘island,’ 
which has different privacy laws than the other States.” Again, an untrue argu- 
ment. I believe there are 5 States that have more protective privacy laws than 
GLB; Alaska, Connecticut, Illinois, Maryland, and Vermont. 

• “If we do not pass SB 2191, the people of North Dakota may not be able to use 
their ATM, credit cards, and their checking accounts.” Since June 11, 2002, when 
the people of ND repealed SB 2191, our ATM’s, credit cards, and checking ac- 
counts are working just fine, as they have since 1985, when we first passed our 
privacy law. 

All of these scare tactics and more were part of a carefully orchestrated campaign 
by the ND banks, in conjunction with their national associations, to confuse the 
issues at best, and out and out lie to the Legislators at worst, about the truth of 
SB 2191. 

There were just a handful of Legislators that worked to stop this onslaught by 
the Bankers and Credit Unions. The final vote in the ND House, was 77 to 20 to 
pass SB 2191. The ND Senate voted by 34 to 12 to pass SB 2191. The Governor, 
a former banker, signed the bill and it became North Dakota law on July 1, 2001. 

The Referral of SB 2191 — The People of North Dakota Speak 

Fortunately, this was not the end of the story. In early July 2001, a small group 
of ordinary citizens formed a group to repeal SB 2191. They called themselves “Pro- 
tect Our Privacy.” In North Dakota, the people are allowed to refer any act of the 
Legislature by gathering the minimum amount of signatures on petitions. In about 
6 weeks volunteers gathered over 17,000 signatures, about 2.5 percent of our States 
population, far exceeding the minimum needed to refer SB 2191. The people of ND 
would now vote on the referral on June 11, 2002, to decide if they wanted to repeal 
SB 2191. That meant we had about 10 months before the referral vote. During this 
time the banks organized, hired an advertising agency, and raised big money to 
fight the referral. They even hired two incumbent North Dakota Legislators to be 
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the co-chairs of their committee, which they ironically named “Citizens for North 
Dakota’s Future.” 

Grass Roots Organization: “Protect Our Privacy” to Repeal SB 2191 

The grass roots organization against SB 2191 “Protect Our Privacy,” had no 
money and no paid staff. All we had was a small group of committed volunteers, 
who like Winston Churchill, were determined we would “Never, Never, Never, 
Never Give Up.” 

To counter the power and money of the big banks, we wrote letters to the editor, 
appeared as guests on radio talk shows, held press conferences, and made appear- 
ances before civic groups. About 2 weeks before the vote on June 11, 2002, we ob- 
tained a contribution of $25,000 from the National ACLU, which allowed some radio 
spots to be run the last 10 days before the vote. Prairie Public Television also hosted 
a half hour debate about 2 weeks before the vote. Other than this, the campaign 
to repeal SB 2191 was by word of mouth, truly grass roots. Mr. Chairman, I would 
like to provide the Committee with copies of relevant documents for the record, con- 
cerning these matters. 

Big Bank Media Campaign to Keep SB 2191 Backfires 

All of this was small in comparison to the huge amounts of money the big banks 
spent on their advertising. Their media campaign was overwhelming in ND. Radio, 
TV, newspapers, talk shows, and civic presentations, began statewide. They ob- 
tained endorsement from our State Chamber of Commerce, from our former popular 
Governor, and most of the local Chambers of Commerce in our major cities. They 
even pirated the “Protect Our Privacy” group’s name, adopting and registering the 
slogan, “Protect Your Privacy” and used it on their literature to further attempt to 
confuse ND voters. The various banks and credit unions placed pamphlets and bro- 
chures in their customers checking and savings statements and they placed signs 
in many lobbies, encouraging a yes vote on SB 2191. 

In their most memorable TV ad, they actually showed a wall being built around 
North Dakota, stating that we would become an island if SB 2191 was repealed. The 
one thing the bankers would not talk about, however, was the truth about SB 2191. 
The banks want unlimited access to and the ability to sell and share their cus- 
tomers’ personal and confidential financial information, without the customers’ con- 
sent or knowledge. The Opt-Out notices required by GLB, which are supposed to 
be privacy notices and are supposed to provide consumers with an opportunity to 
stop the banks from sharing information, are a joke. Statistics indicate that over 
95 percent of the people of our country throw these notices away because they: (1) 
Do not understand them; (2) do not realize their importance; and (3) do not know 
the ramifications of not sending them back to the financial institution. 

The Vote in North Dakota — June 11, 2002 

The people of North Dakota spoke loudly and clearly on June 11, 2002, when by 
a 73 percent vote, they threw out and repealed SB 2191 and thus returned North 
Dakota privacy law to our very protective privacy statutes. Despite being out-spent 
10 to 1, despite the bankers deliberate attempt to confuse the issues with their 
media campaign and despite the power of the banks and their hired staff, the people 
of ND saw through the charade of SB 2191. Their message is a national message 
for the Congress as well. 

The Message to the Congress from the People of ND by Their June 11, 2002 
Vote on Privacy is: 

• Give us back and protect our privacy. 

• Our financial and personal information is ours. It does not belong to the banks 
and other financial service companies, or anyone else for that matter. It is not 
for sale. 

• If we want to purchase a financial product, we are very capable of initiating the 
call or contact ourselves. 

• We are not waiting breathlessly at home for our phone to ring, to be solicited by 
someone with the latest, greatest product, financial or otherwise, that we just can- 
not do without. 

• We want our identity protected. 

• Our financial and personal information is a property right we believe is protected 
under the U.S. Constitution. 

• A bank should have no more right to sell my information than it does to enter 
my property, steal my car and sell it without my consent. 
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Why Do Banks Need Unlimited Access to People’s Financial and 
Personal Information? 

It is all about market share, profit, and corporate greed, just like what our Nation 
has recently experienced with the Enron scandal, wherein too many corporate ex- 
ecutives will do anything to make profits and gain market share. 

The lifeblood needed to increase market share by the Financial Services compa- 
nies is the free flowing and easy access to consumers’ personal and confidential fi- 
nancial information. The GLB Act does not result in fair, open and more competition 
in the financial services industries. It results in the elimination of competition, 
wherein the big get bigger and small businesses by the thousands and hundreds of 
thousands will eventually be driven out of business, because they cannot compete 
with the financial might of the Citicorps and other mega financial conglomerates. 
GLB will have a long-term negative impact on rural America, as well. In ND, our 
State Legislature spends millions of dollars to attract new businesses to relocate to 
our State and our rural areas. Yet, we have a Federal Law, GLB, which places 
small businesses at a tremendous competitive disadvantage. When jobs disappear, 
the people leave. We are already experiencing this result all over America today. 

Example of How Banks Share Information 

My best client is a small business in Fargo, North Dakota. I have handled their 
insurance needs for almost 20 years. When they have an insurance need they call 
me. Recently, one of the principals called and asked me to come to his office to look 
at a life insurance proposal they had just received from their big bank insurance 
agent. This agent had been given their corporate and personal financial information, 
including salaries, ownership percentages, ages, tax bracket, Social Security num- 
bers, dates of birth, and additional confidential information, without their consent 
or knowledge. They had never met or heard of the insurance agent and they had 
not asked for any insurance proposals. My clients were astonished and upset that 
the bank gave this insurance agent their information without their consent or 
knowledge. 

My Mother’s Financial Needs 

My mother, who is a 79-year-old widow, just had a CD come due at her local 
bank, worth about $14,500. When discussing the CD renewal with the bank teller, 
she was told she should look at transferring the CD to an annuity. We learned later 
the bank teller was not licensed to sell annuities and did not know a thing about 
the rest of my mother’s financial affairs. She just advised her to buy an annuity 
from the bank. 

The bank teller had no knowledge of my mother’s financial needs, other than the 
fact she had a CD due. Despite this fact, a financial recommendation was made to 
purchase an insurance product from someone who was not licensed and had no idea 
what the impact would be on my mother’s overall needs. 

These are two examples of what goes on literally thousands of times every day. 

A California Trip in July 2002 — Bank Tactics the Same Everywhere 

Senator Jackie Speier, (D) California, invited me to come to Sacramento to help 
move forward her privacy bill, which was in trouble in the California Assembly 
(House of Representatives). I spent 4 days in CA in early July 2002, a few weeks 
after the repeal of the SB 2191 in North Dakota. I found the big banks were using 
the identical tactics in CA as they had in ND. One of their tactics was to confuse 
the issues. They also used intense lobbying pressure from banking representatives. 
Unfortunately, their tactics worked, as Senator Speier’s bill was just recently de- 
feated by a few votes. As I stated earlier, there appears to be a national strategy 
by the Banking Industry, to kill all attempts by State Legislatures to enact any 
State Legislation that is more protective than the GLB privacy rules. It worked 
again in California. 

Where Should Congress and the Senate Banking Committee Go from Here 

It is imperative, in my opinion, that this Committee draft amendments to Title 
V of GLB, to do the following: 

For nonaffiliate transactions, enact a No-Opt provision, prohibiting the sharing 
and selling of personal and financial information to nonaffiliated third parties for 
any reason, with the exception of data processing for customer requested trans- 
actions sucb as ATM’s etc., and for transactions required by law to comply with Fed- 
eral and State statutes. 

Amend GLB to provide for an Opt-In method of privacy protection for all affili- 
ates-sharing and selling of information. The people of our Nation should have the 
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right to stop their information from being passed around, to affiliated companies, 
and it should only be allowed with their advanced written consent and knowledge. 

Repeal the Joint Marketing loophole. This charade of an exemption makes a 
mockery of the already weak privacy protections in current GLB, as almost any 
transaction can be designed by the banks to be exempt under this part of GLB. 

Enact Legislation to provide privacy protections for all financial transactions from 
all sources, including business, agriculture, and nonprofit financial transactions. 
Under GLB these types of entities have no privacy protection whatsoever. They 
should have the same privacy protections that consumers do. 

What Will Happen if Congress Fails to Amend GLB? 

The people of the United States and the Legislators of the State Legislatures are 
beginning to realize the damage that has been done to the people of our country 
over the past number of years, due to the free flowing and public availability of 
their private and confidential information. I know of three States where Legislators 
are currently working on State Legislation to override the GLB privacy rules and 
to enact State Legislation similar to North Dakota’s recently restored privacy law. 
I believe this is just the beginning of what will become a national ground swell, 
wherein the State Legislatures will enact real privacy protection for their citizens. 
Congress should act immediately to correct the mistakes made in GLB and change 
its privacy provisions, as suggested in this testimony. 

California Initiative — 2004 Vote 

Due to the failure of the CA Legislature to pass Senator Speier’s privacy law in 
California, an initiated measure has begun, headed by Chris Larsen, Chairman and 
CEO of e-Loan.com an Internet mortgage loan company. I predict it will be over- 
whelmingly successful in 2004, regardless of how much money the big banks spend 
to defeat it. In fact, the more they spend, the larger the vote will be to pass the 
privacy law in CA, because the banks cannot address the truth about how they use 
people’s private and confidential information. It is their dirty little secret, their 
Achilles heal. They want to be able to sell it and share it without the people’s 
knowledge or consent, but they cannot talk about it truthfully and openly, because 
they know their customers are overwhelmingly against this practice. 

The Real Tragedy Perpetrated on the American People 

I believe that the Congress needs to realize the damage and danger they have per- 
petrated on the American people by failing to pass real privacy protection. What has 
been done under GLB and its sister law, the Fair Credit Reporting Act, is to make 
people’s private information a public commodity, available to all those who have the 
money to buy it. By allowing the privacy protections of the people of our Nation to 
continually be eroded, traded, and sold as just another commodity, the very fabric 
of our Republic is threatened. When our citizens no longer feel safe and secure in 
their homes and in the workplace, because their most personal and private informa- 
tion is no longer personal and private, we face the very real possibility that our citi- 
zens will lose confidence in our financial services industries. If that occurs, we will 
be in tremendous trouble. If you do not think it can happen today, all you need do 
is look back to 1929 and what occurred in our Nation then. Those who do not re- 
member history are bound to repeat it. 

Strong and meaningful amendments are necessary now to strengthen the Federal 
privacy law in GLB. I urge this Committee to courageously move forward to do so. 

Thank you, Mr. Chairman, and all of the Committee Members, for the opportunity 
to share my experiences and viewpoints with you today. It has been an honor. 


PREPARED STATEMENT OF PHY LL IS SCHLAFLY 

President, Eagle Forum 

September 19, 2002 

Totalitarian governments keep their subjects under constant surveillance by 
requiring everyone to carry “papers” that must be presented to any Government 
functionary on demand. This is an internal passport that everyone must show to au- 
thorities for permission to travel within the country, to move to another city, or to 
apply for a new job. 

Having to show “papers” to Government functionaries was bad enough in the era 
when “papers” meant merely what was on a piece of paper. In the computer era, 
personal information stored in databases can be used to determine your right to 
board a plane, drive a car, get a job, enter a hospital emergency room, start school, 
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open a bank account, buy a gun, or access Government benefits such as Social Secu- 
rity, Medicare, or Medicaid. 

While each classification currently has its own set of rules, connecting all these 
dots would amount to the personal surveillance and monitoring that are the indicia 
of a police state. The Washington buzz words “information-sharing” are often put 
forth as the solution to 21st Century problems, but this has significant privacy im- 
plications that must be addressed. 

Invasions of privacy are no longer limited to Government. Big business has be- 
come nearly as powerful in demanding, collecting, sharing, and selling our personal 
information. Information-gathering and sharing by Big Brother and Big Business 
raise varying levels of concern, and both are privacy invaders. Government and 
business often commingle and corroborate their information-sharing in the name of 
catching deadbeat dads, terrorists, money launderers, drug peddlers, and criminals. 

The global economy is obsessed with gathering information. The lifestyle or profile 
of each consumer is a valuable commercial commodity. The checks you write and 
receive, the invoices you pay, and the investments you make reveal as much about 
you as a personal diary. Where I shop, how often I travel, when I visit my doctor, 
how I save for retirement are all actions known to financial institutions, which con- 
nect the dots of my life and create a valuable personal profile. This compilation of 
personal information is bad enough, but the sharing of it without my consent is even 
worse. 

Thus far, big business has largely been unwilling to exercise self-restraint to re- 
spect the privacy of consumers. The bottom-line dollar is viewed as more important. 
Financial institutions do not want to seek prior express permission to share cus- 
tomer profiles because they know that most people will not sign-up. 

True privacy protections encompass the principles of notice, access, correction, 
consent, preemption, and limiting data collection to the minimum necessary. These 
form the core of the Fair Information Practices (FIP) first codified in the 1974 Pri- 
vacy Act, and they should serve as the model for every classification or compilation 
of personal information. 

Three years ago, Congress had the opportunity to dramatically change how finan- 
cial institutions treat personal information by embracing these core principles, but 
the resulting law was only a slight improvement over no protections at all. 

On November 12, 1999, President Clinton signed into law the Financial Services 
Modernization bill, known more commonly as Gramm-Leach-Bliley (GLB). This Act 
included several sections aimed at protecting sensitive personal information ob- 
tained and maintained by financial institutions, but in practice, these meager provi- 
sions are proving inadequate. 

Achieving true financial privacy was conflicted by the underlying goal of GLB, 
which was to streamline financial services, thereby increasing affiliation and cross- 
company marketing once affiliated. Greater affiliation meant greater information- 
sharing. Interjecting the right of individuals to control their personal information 
into that streamlining equation was perceived as a threat to this big business 
scheme. 

As a result, the GLB sections on privacy were severely watered down. Instead of 
personal information being kept confidential, financial institutions collect, repack- 
age, and share the data. In some instances personal information is shared with the 
Government, and in other instances, it is shared with hundreds of other “affiliated” 
companies. Even under GLB, it is still legal. GLB failed to recognize that consumers 
are the rightful owners of their personal information. Your financial diary should 
be your property, not the bank’s. 

GLB does not provide consumers with any opportunity to decide for themselves 
about the transfer of their private information among affiliates. Particularly trou- 
bling is the large number of companies marked as affiliates. For instance, Bank of 
America has nearly 1,500 corporate affiliates, and Citigroup has over 2,700. There 
is no opportunity to stop this free flow of personal information. 

GLB did include a privacy notice provision. Privacy notices should be simple docu- 
ments outlining what kinds of information are collected and how the business uses 
that information. However, the notices sent to consumers as a result of GLB turned 
out to be too complicated for the public to cope with. 

When GLB was set to go in effect, few consumers understood their rights. Notices 
began reaching consumers, and we began receiving questions about them through 
our website. Making the situation even more confusing, a mass e-mail was sent out 
by an unknown source claiming that anyone could opt-out of all information-sharing 
of banking, credit, and other financial records by calling the credit reporting compa- 
nies. We tried to provide clarification and assistance through a special alert on our 
website, but financial institutions failed to explain the companies’ privacy policies 
in simple terms. 
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GLB also provided the right to opt-out of information-sharing but only to third 
parties. With all the confusion in the notices, figuring out how to prevent the sale 
of your personal financial diary, and to whom you were actually denying it, was yet 
another significant obstacle. Opt-out consent depends on being able to understand 
what you are saying no to. This is a misplaced burden, especially when combined 
with complex, unintelligible privacy notices. Again, the design of GLB failed to begin 
with answering the essential property rights question. The individual was burdened 
with seeking further explanation of his options and consent rights to ensure protec- 
tion of his financial diary. 

If financial institutions want to offer such a range of popular services, they should 
have no problem simply explaining those services and letting individuals decide 
whether they want to sign-up for such offers. The burden should be on the financial 
institutions to be honest, to better market their products, and to respect the best 
interests of the customer. This would contribute to more confidence and trust in the 
customer-business relationship. 

One redeeming factor of GLB was in the area of preemption. To the financial in- 
stitutions’ chagrin, GLB set a floor of protections rather than ceiling. Stronger State 
privacy laws can be placed on top of GLB’s limited protections. Some States have 
already taken action and more are likely to do so. For instance, when the question 
was put to the people of North Dakota, information-sharing without consent lost by 
73 percent. A financial privacy bill in California was narrowly defeated this year, 
but State legislators are expected to revisit the issue. 

The problems with the GLB privacy provisions are clear. Exceptions, such as 
sharing among affiliates, make notices very complex. Typically buried in small 
print, the limited opt-out consent burdens individuals, insufficiently protects non- 
public data, and minimizes the confidence in financial institutions’ practices. The 
banking lobby is working hard to defeat greater financial privacy, but they should 
embrace better business practices that put their customers’ interests first. 

It is also important to mention a disturbing trend in Government exchange and 
reliance on private collections of information, such as through financial institutions. 
The post-9/11 atmosphere encourages more information-sharing and verification of 
identity, but any actions should be done cautiously so as to not impact law-abiding 
citizens. 

In 1998, the Clinton Administration proposed a Federal regulation called Know 
Your Customer, which would have turned your friendly local banker into a snoop 
reporting to the Federal database called FinCEN any deviation from what the bank 
decided is your deposits/withdrawal profile. The American people responded with 
300,000 angry e-mail criticisms and the regulation was withdrawn. However, the 
Bank Secrecy Act still requires banks to share personal information with the Gov- 
ernment through suspicious activity reports. 

The Bush Administration’s proposed regulations announced on July 17 to imple- 
ment the USA PATRIOT Act’s Anti-Money Laundering provisions call for identity 
verification, but they are even more intrusive than Know Your Customer. On that 
very same day, The Wall Street Journal reported that the Treasury Department en- 
tered into an agreement with the Social Security Administration (SSA) “to develop 
and implement a system by which financial institutions may access a database to 
verify the authenticity of Social Security numbers provided by customers at account 
opening.” 

Congress promised us that the SSN would never be used for anything else when 
it was created, and certainly not for identification purposes. Giving financial institu- 
tions access to SSA’s database embraces the SSN as a national ID number, which 
is a step in the wrong direction. Such so-called antimoney laundering provisions are 
threats to the privacy of law-abiding citizens. Is access to our personal records 
housed in the Internal Revenue Service the next step? 

In conclusion, neither Government nor private business should act as if they can 
own, share, display, or traffic our personal information without our consent. Our 
personal financial data should be protected by a firewall and accessible only to those 
who have authority. Financial institutions are in a unique position of housing our 
financial diaries that often contain all the dots of life. Extra caution and care should 
be taken by these corporations to ensure protection not only from fraud but also 
from misuse and overuse within the companies. Unless financial institutions are 
willing to raise their privacy standards independently, Congress should revisit GLB 
to raise the floor of privacy protection for our financial diaries. 
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Chairman Sarbanes and Members of the Committee, thank you for the oppor- 
tunity to testify before you today. As you know, U.S. PIRG 1 serves as the national 
lobbying office for State Public Interest Research Groups, which are independent, 
nonprofit, nonpartisan research and advocacy groups with members around the 
country. Our testimony is also on behalf of Consumer Action, Consumer Federation 
of America, Consumer Task Force on Automotive Issues and Remar Sutton, Presi- 
dent, Consumers Union, Electronic Privacy Information Center, Identity Theft Re- 
source Center, Junkbusters, Inc., Privacy Rights Clearinghouse, Private Citizen, 
Inc. 2 Many of these groups participating are members of the Privacy Coalition. 3 

Summary 

The Congress knew that the 1999 Gramm-Leach Bliley Financial Services Mod- 
ernization Act 4 (GLBA) — a law long-sought by the financial industry to encourage 
the creation of integrated financial services firms — would exacerbate already-identi- 
fied financial privacy threats. So Congress incorporated Title V to protect financial 
privacy, which included the following five key provisions. The most important and 
most successful is the last: The fail-safe States’ rights provision allowing States to 
enact stronger financial privacy laws. 

(1) Title V defined certain confidential information as “nonpublic personal infor- 
mation” subject to strong privacy protection. 

Status: An important recent decision by the DC Circuit U.S. Court of Appeals 
upholding the GLBA financial privacy regulations has effectively closed the so-called 
credit header loophole exploited by Internet information brokers to obtain Social Se- 
curity Numbers from credit bureaus without consumer consent. Creating a strict 
definition of protected information is an important and successful result of GLBA. 


1 U.S. PIRG, www.uspirg.org is the national lobbying office for the State Public Interest Re- 
search Groups, www.pirg.org. State PIRG’s are nonprofit, nonpartisan public interest advocacy 
groups. 

2 Consumer Action, www.consumer-action.org founded in 1971, is active on privacy issues both 
in California and on the national level working through its network of more than 6,500 commu- 
nity-based organizations. Consumer Federation of America, www.consumerfed.org is a coalition 
of 240 national, State, and local consumer groups around the country. Consumer Advocate 
Remar Sutton is President of the Consumer Task Force on Automotive Issues, http:l / www.auto 
issues.org / . He and the Task Force are founding members of www.privacyrightsnow.com. Con- 
sumers Union, www.consumer.org is the nonprofit, nonpartisan, noncommercial publisher of 
Consumers Report magazine and maintains advocacy offices in California, Washington. DC, and 
Texas. The Electronic Privacy Information Center (EPIC), www.epic.org was established in 1994 
to focus public attention on emerging civil liberties issues and to protect privacy, the First 
Amendment, and Constitutional values. The Identity Theft Resource Center, http://www. 
idtheftcenter.org is a nationwide nonprofit organization dedicated to developing and imple- 
menting a comprehensive program against identity theft. Junkbusters, Inc., www. junkbusters. 
com offers free software and other tools to fight junk mail, spam, cookies, and other forms of 
privacy invasion. The Privacy Rights Clearinghouse, www.privacyrights.org is a nonprofit con- 
sumer information and advocacy program. Private Citizen, Inc., http: // www.private-citizen.com 
is nationally known and respected as America’s foremost consumer organization fighting against 
the direct marketing industrys privacy-abusive practices. 

3 The Privacy Coalition was established in 2001 by a broad range of consumer, privacy, civil 
liberties, family-based, and conservative organizations that share strong views about the right 
to privacy. The groups had previously worked together on a more informal basis in opposition 
to the intrusive Know-Your-Customer rules and in support of financial privacy proposals offered 
in the 106th Congress by Members of the bi-partisan Congressional Privacy Caucus, Co-Chaired 
by Senate Banking Committee Members Richard Shelby and Christopher Dodd and House 
Energy and Commerce Committee Members Joe Barton and Ed Markey. Groups endorsing the 
coalition’s legislative candidate Privacy Pledge are listed at www.privacypledge.org. 

4 Public Law 106—102, 15 U.S.C. §6801, et seq. enacted November 12, 1999. 
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(2) Title V required covered firms to provide, by July 2001, annual notice of their 
information- sharing practices with both affiliated and nonaffiliated third parties. 

Status: The core of the GLBA privacy scheme is limited to notice. Industry lobby- 
ists will falsely portray their distribution of billions of privacy notices as successful 
privacy protection. Notice is not enough to protect privacy. Data collectors should 
adhere to a broader set of Fair Information Practices (discussed below). Worse, the 
first year’s privacy notices were unreadable; this year’s no better. Although notice 
is not enough to protect privacy, covered firms should do a better job of providing 
notice and regulators should penalize those that do not. 

(3) Title V required covered firms to provide in that notice an extremely limited 
statutory consumer right to opt-out (affirmatively act to say no) to the sharing of in- 
formation with some, but not all, nonaffiliated third parties. Transactions between 
affiliates and also with many nonaffiliated third parties engaged in joint marketing 
contracts with an affiliate could continue regardless of whetlier or not a customer 
had chosen to “opt-out.” 

Status: Notice is not enough, nor is the limited opt-out, to satisfy the Fair Infor- 
mation Practices. The vast majority of all information-sharing with both affiliates 
and many third parties is only covering by notice, not by this limited opt-out “right.” 
The provision is inadequate and fails to even rein in the practices of the tele- 
marketers it is narrowly targeted at (see (4)). The partial opt-out should be replaced 
by an across-the-board affirmative consent (opt-in) provision for all affiliate and 
third-party information-sharing. The failure of the GLBA to require any form of con- 
sumer consent for the vast majority of information-sharing transactions affected is 
one example of how the GLBA fails to meet the Fair Information Practices (dis- 
cussed below). 

(4) Title V attempted, through an encryption provision, to restrict the tawdry prac- 
tice of nonaffiliated telemarketers obtaining credit card numbers from banks, then 
signing consumers up for expensive “membership clubs” and billing them when the 
consumer failed to affirmatively cancel within 30 days. 

Status: As Attorneys General Hatch of Minnesota and Sorrell of Vermont have 
testified today, telemarketers continue to find loopholes enabling them to bill con- 
sumers for products the consumer never ordered, using credit card numbers pro- 
vided by the consumer’s bank, not by the consumer. Consumers do not think they 
ordered anything, when they do not hand over cash, a check, or a credit card num- 
ber. Unfortunately, the encryption provision has codified, instead of stopped, the 
growing epidemic of anticonsumer, controversial “preacquired account tele- 
marketing.” 

(5) Finally, recognizing that it hadn’t really completed the job of protecting privacy 
adequately, the Congress — in an extremely rare departure from its normal policy of 
preempting State action — explicitly included a fail-safe provision allowing States to 
enforce existing and to enact new stronger financial privacy laws. 

STATUS: The States’ rights fail-safe is the most important, and most successful, 
privacy protection in GLBA. We commend the Chairman for his sponsorship of the 
provision added in conference committee known as the “Sarbanes Amendment.” 
States have been very active and although not all have yet been successful, we be- 
lieve that there is a good chance that passage of strong new privacy laws in a few 
more States will provide Congress with the encouragement it needs to raise the bar 
nationally. 

Financial Privacy and the Gramm-Leach-Bliley Act 

The 1999 Gramm-Leach-Bliley Financial Services Modernization Act was enacted 
to respond to changes in the marketplace. Banks, insurance companies, and securi- 
ties firms were more and more selling products that looked alike. The firms wanted 
the privilege of and synergies derived from selling them all under one roof. Yet, the 
Gramm-Leach-Bliley Act was also enacted against a backdrop of financial privacy 
invasions, and members wanted to ensure that the new law wouldn’t make things 
worse. Consumer and privacy groups argued that if the Congress was going to cre- 
ate one-stop financial supermarkets, then privacy protections should extend to all 
information-sharing, whether with affiliates or with third parties. At the time, two 
examples were given of the need for stronger privacy laws. 

• First, NationsBank (now Bank of America) had recently paid civil penalties total- 
ing $7 million to the Securities and Exchange Commission and other agencies, 
plus millions more in private class action settlements, over its sharing of confiden- 
tial bank accountholder information with an affiliated securities firm. “Registered 
representatives also received other NationsBank customer information, such as fi- 
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nancial statements and account balances.” 5 In this case, conservative investors 
who held maturing certificates of deposits (CD’s) were switched into risky finan- 
cial derivative products. Some lost large parts of their life savings. 

• Second, Minnesota Attorney General Mike Hatch had recently sued U.S. Bank 
and its holding company, accusing them of having “sold their customers’ private, 
confidential information to MemberWorks, Inc., a telemarketing company, for $4 
million dollars plus commissions of 22 percent of net revenue on sales made by 
MemberWorks.” 6 As General Hatch has testified today in detail, MemberWorks 
and other nonaffiliated third-party telemarketers sign credit card customers up 
for add-on “membership club” products and bill their credit cards as much as $89 
or more if they do not cancel within 30 days. The catch? The consumer never gave 
the telemarketer her credit card number; her bank did, in a scheme known as 
preacquired account telemarketing. General Hatch has settled with both U.S. 
Bank and MemberWorks. 

Industry has argued that these “aberrations” occurred before the enactment of 
GLBA. Yet, as General Hatch has also testified today, however, he has also recently 
settled a post-GLBA lawsuit with Fleet Mortgage Company over similar practices 
in the post-GLBA environment. 7 He and numerous other Attorneys General have 
filed comments with the U.S. Treasury Department and the Federal Trade Commis- 
sion seeking stronger laws restricting “preacquired account telemarketing” trans- 
actions involving banks and membership clubs run by telemarketers. 

In response to these documented concerns about the risks to financial privacy, 
Congress included a specific financial privacy title in the Gramm-Leach-Bliley Act. 

Basic Structure of the GLBA Financial Privacy Scheme and Its Limitations 
The principal privacy protection in GLBA is an annual notice requirement. GLBA 
defines nonpublic personal information that must be protected. GLBA then requires 
covered entities to disclose their information-sharing policies with both affiliated 
companies (companies under the same corporate umbrella and “common control”) 
and with nonaffiliated third parties. GLBA then requires firms to grant customers 
a limited right to opt-out of a small number of transactions with some nonaffiliated 
third parties (primarily telemarketers). 

The opt-out applies to neither affiliates nor any nonaffiliated third parties in a 
joint marketing relationship with the bank or other covered entity. The rationale 
for treating marketing partners as affiliates was ostensibly to create a level playing 
field for smaller institutions that might not have in-house affiliates selling every 
possible product larger firms might sell. 8 Of course, large firms use joint marketing 
partners, too. 

The result of this scheme is that most information-sharing is only “protected” by 
notice. Sharing of confidential consumer information with either affiliates or joint 
marketing partners continues regardless of a consumer’s privacy preference. Al- 
though we have no way of knowing how many joint marketing partners a company 
may have, we do know how many affiliates some of the largest financial services 
holding companies and bank holding companies have. For their recent joint com- 
ments to the Treasury Department on GLBA, State Attorneys General accessed the 
Federal Financial Institutions Examination Council and Federal Reserve websites 
and counted affiliates for Citibank (2,761), Key Bank (871), and Bank of America 
(1,476). 9 

The GLBA has failed to provide adequate protections for consumer privacy in 
modern financial services. Individuals face a multitude of potential risks through 
unrestricted and undisclosed information-sharing of personal financial data informa- 
tion under the GLBA. Unfettered affiliate and nonaffiliate sharing permits com- 
prehensive profiling, which results in aggressive target marketing techniques, iden- 
tity theft, profiling, and fraud. Consumers have not been adequately informed or 
been given effective choice to evaluate the benefits of information-sharing against 
the potential harms causes by unrestricted information-sharing. 


5 See the SEC’s NationBank Consent Order, http .7 / www.sec.gov / litigation / admin / 337532.txt. 

6 See the complaint filed by the State of Minnesota against U.S. Bank, http:/ /www.ag. state, 
mn.us / consumer / privacy / pr/ pr%5Fusbank%5F06091999.html. 

7 See the complaint filed by the State of Minnesota against Fleet Mortgage, 28 December 2000, 

http:/ / www.ag.state.mn.us / consumer / news / pr / Comp Fleet 122800.html. 

8 The GLBA also includes numerous other exceptions to opt-out protections, including sharing 
for Government or law enforcement purposes and sharing for purposes related to completing a 
consumer transaction (such as a credit card purchase or ATM withdrawal). 

9 See 1 May 2002 Attorneys General Comments, http://www.ots.treas.gOv/docs/r.cfm/95421. 
pdf or http:/ l www.epic.org / privacy / financial / ag gib comments.html on the GLBA Informa- 

tion Sharing Study ( Federal Register: February 15, 2002 (Volume 67, Number 32)). 
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The inherent weaknesses of the GLBA notwithstanding, the July 2002 decision by 
the Court of Appeals upholding GLBA’s regulations is nevertheless an important de- 
cision upholding the Constitutionality of a broad Government privacy regulation. 10 
Government has an important interest in protecting privacy and regulating the ac- 
tivities of companies that share and sell confidential consumer information. Finan- 
cial privacy is not merely an issue of a few “nuisance” phone calls, as industry 
would like to portray it. When data collectors do not adhere to Fair Information 
Practices (discussed below) consumers face numerous privacy risks: 

• Consumers pay a much higher price than dinner interruptions from telemarket- 
ers. Many unsuspecting constituents of yours may be paying $89/year or more for 
essentially worthless membership club products they did not want and did not 
order. 

• Easy access to confidential consumer identifying information leads to identity 
theft. Identity theft may affect 500,000-700,000 consumers each year. Identity 
theft victims in a recent PIRG/Privacy Rights Clearinghouse survey faced average 
out-of-pocket costs of $808 and average lost time of 175 hours over a period of 
1-4 years clearing an average $17,000 of fraudulent credit off their credit reports. 
It is difficult to measure the costs of higher credit these consumers pay, let alone 
attempt to quantify the emotional trauma caused by the stigma of having their 
good names ruined by a thief who was aided and abetted by their bank and credit 
bureau’s sloppy information practices. 11 

• Reliance on the Social Security Number as a unique identifier in the private sec- 
tor has proliferated. Easy access to Social Security Numbers by Internet informa- 
tion brokers and others also leads to stalking. 

• The failure to safeguard information and maintain its accuracy leads to mistakes 
in credit reports and consequently consumers pay higher costs for credit or are 
even denied opportunities. 

• Although the industry witnesses will testify to a vast “free flow of information” 
driving our economy that should not be constrained, more and more firms are 
choosing to stifle the flow of information themselves — to maintain their current 
customers as captive customers. When a bank intentionally fails to report a con- 
sumer’s complete credit report information to a credit bureau, that consumer is 
unable to shop around for the best prices and other sellers are unable to market 
better prices to that consumer. 12 

• The unlimited collection and sharing of personal data poses profiling threats. Pro- 
files can be used to determine the amount one pays for financial services and 
products obtained from within the “financial supermarket” structure. As just one 
example, information about health condition or lifestyle can be used to determine 
interest rates for a credit card or mortgage. Even with a history of spotless credit, 
an individual, profiled on undisclosed factors, can end up paying too much for a 
financial service or product. Because there are no limits on the sharing of per- 
sonal data among corporate affiliates, a customer profile can be developed by a 
financial affiliate of the company and sold or shared with an affiliate that does 
not fall within the broad definition of “financial institution.” A bank, for instance, 
that has an affiliation with a travel company could share a customer profile re- 
sulting in the bank’s customer receiving unwanted telephone calls and unsolicited 
direct mail for offers of memberships in travel clubs or the like that the individual 
never wanted or requested. 13 

We will now discuss the success or failure of the five key privacy provisions sum- 
marized above in greater detail. 

(1) Title V defined certain confidential information as “nonpublic personal infor- 
mation” subject to strong privacy protection. 


10 See http : / / pacer.cadc.uscourts.gov / common /opinions / 200207 / 01-5202a.txt. 

11 See “Nowhere To Turn: A Survey of Identity Theft Victims, May 2000, CALPIRG and Pri- 
vacy Rights Clearinghouse, http:/ / calpirg.org / CA.asp?id2=3683&id3=CA&. 

12 See speech by Comptroller of the Currency John Hawke at http: // www.occ.treas.gov / ftp / 
release / 99-51.txt 7 June 1999: “Some lenders appear to have stopped reporting information 
about subprime borrowers to protect against their best customers being picked off by competi- 
tors. Many of those borrowers were lured into high-rate loans as a way to repair credit his- 
tories.” According to U.S. PIRG’s sources in the lending industry, this practice continues. 

13 For additional discussion of the profiling issue, and related privacy threats posed by infor- 
mation-sharing, see 1 May 2002 comments of EPIC, U.S. PIRG, Consumers Union, and Privacy 
Rights Clearinghouse on the GLBA Information Sharing Study ( Federal Register: February 15, 

2002 (Volume 67, Number 32)) available at http:/ lwww.epic.org /privacy / financial / gib 

comments.pdf. 



76 


Status: An important recent decision by the DC Circuit, U.S. Court of Appeals 
upholding the GLBA financial privacy regulations has effectively closed the so-called 
credit header loophole exploited by Internet information brokers to obtain Social Se- 
curity Numbers from credit bureaus without consumer consent. Creating a strict 
definition of protected information is an important and successful result of GLBA. 

The GLBA created a category of protected “nonpublic personal information.” The 
final GLBA financial privacy rules issued by 7 Federal financial agencies defined 
Social Security Numbers as nonpublic personal information (NPPI). A key provision 
is that the transfer of Social Security Numbers from financial institutions to credit 
bureaus is only allowed for regulated Fair Credit Reporting Act purposes (e.g., for 
use in a credit report) but not for unregulated purposes, where the credit bureau 
would be considered a nonaffiliated third-party. The agencies correctly interpreted 
the law to prevent the sharing of Social Security Numbers unless consumers are 
given notice of the practice and a right to opt-out. 

In 1993, the Federal Trade Commission had (improperly in our view) granted an 
exemption to the definition of credit report when it modified a consent decree with 
TRW (now Experian). The FTC said that certain information would not be regulated 
under the Fair Credit Reporting Act (FCRA). The so-called credit header loophole 
allowed credit bureaus to separate a consumer’s so-called header or identifying in- 
formation from the balance of an otherwise strictly regulated credit report and sell 
it to anyone for any purpose. Credit headers included information ostensibly not 
bearing on creditworthiness and therefore not part of the information collected or 
sold as a consumer credit report. The sale of credit headers involves stripping a con- 
sumer’s name, address, Social Security Number, and date of birth 14 from the re- 
mainder of his credit report and selling it outside of the FCRA’s consumer protec- 
tions. Although the information, marketing and locater industries contend that 
header information is derived from numerous other sources, in reality, the primary 
source of credit header data is likely financial institution information. 

In their unsuccessful arguments to the courts, the credit bureau Trans Union and 
a number of companies that sell information, organized into the now-apparently- 
defunct Individual References Services Group, argued that the GLBA included a 
Fair Credit Reporting Act savings clause and therefore their sale of Social Security 
Numbers was legal. As the FTC explains in the preamble to its Gramm-Leach-Bliley 
Financial Privacy Rule: 

The Commission recognizes that § 313.15(a)(5) permits the continuation of 
the traditional consumer reporting business, whereby financial institutions 
report information about their consumers to the consumer reporting agen- 
cies and the consumer reporting agencies, in turn, disclose that information 
in the form of consumer reports to those who have a permissible purpose 
to obtain them. Despite a contrary position expressed by some commenters, 
this exception does not allow consumer reporting agencies to redisclose the 
nonpublic personal information it receives from financial institutions other 
than in the form of a consumer report. Therefore, the exception does not 
operate to allow the disclosure of credit header information to individual 
reference services, direct marketers, or any other party that does not have 
a permissible purpose to obtain that information as part of a consumer re- 
port. Disclosure by a consumer reporting agency of the nonpublic personal 
information it receives from a financial institution pursuant to the excep- 
tion, other than in the form of a consumer report, is governed by the limita- 
tions on reuse and redisclosure in §313.11, discussed above in “Limits on 
reuse.” Those limitations do not permit consumer reporting agencies to dis- 
close credit header information that they received from financial insti- 
tutions to nonaffiliated third parties. ... If consumer reporting agencies 
receive credit header information from financial institutions outside of an 
exception, the limitations on reuse and redisclosure may allow them to con- 
tinue to sell that information. This could occur if the originating financial 
institutions disclose in their privacy policies that they share consumers’ 
nonpublic personal information with consumer reporting agencies, and pro- 


14 In a separate 2001 decision by the DC Circuit, U.S. Court of Appeals (No. 00—1141, 13 April 
2001, cert denied, 10 June 2002 by Supreme Court), Trans Union I vs. FTC, http:/ / 
laws.findlaw.com! del 001141a.html, the FTC’s order against Trans Union, http:! lwww.ftc.gov / 
osl2000l03ltransunionopinionofthecommission.pdf prohibiting Trans Union from selling actual 
credit information for illegal marketing purposes was upheld. This decision also removed dates 
of birth from credit headers, since age is a determinant of credit scores and therefore has a bear- 
ing on creditworthiness. 



77 


vide consumers with the opportunity to opt-out. [Emphasis added, Foot- 
notes omitted.l 15 

There is a slight chance that credit bureaus will eventually convince financial in- 
stitutions to provide notice of their sharing of Social Security Numbers, triggering 
the right to share Social Security Numbers for consumers who do not opt-out. So, 
the Congress should act to close the credit header loophole completely. Several 
House bills and a Senate bill, S. 1014, sponsored by Senator Bunning of the Banking 
Committee (although the bill has been referred to the Finance Committee) would 
completely close the credit header loophole and take other steps to improve Social 
Security Number privacy. 

In the 106th Congress, legislation named for the first-known victim of an Internet 
stalker was defeated after it was seen that the proposal actually was a Trojan Horse 
that expanded the availability of Social Security Numbers to customers of the Indi- 
vidual References Services Group (IRSG). IRSG member companies included credit 
companies and other information firms engaged in the sale of nonpublic personal 
information to information brokers, private detectives, and others. 16 The IRSG was 
established as a supposed self-regulatory organization and received a tacit endorse- 
ment from the Federal Trade Commission 17 for its efforts to police its industry. The 
association reportedly has dissolved following its unsuccessful attempts to overturn 
the GLBA regulations. 

(2) Title V required covered firms to provide, by July 2001, annual notice of their 
information- sharing practices with both affiliated and nonaffiliated third parties. 

Status: The core of the GLBA privacy scheme is limited to notice. Industry lobby- 
ists will falsely portray their distribution of billions of privacy notices as successful 
privacy protection. Notice is not enough to protect privacy. Data collectors should 
adhere to a broader set of Fair Information Practices (discussed below). Worse, the 
first year’s privacy notices were unreadable; this year’s no better. Although notice 
is not enough to protect privacy, covered firms should do a better job of providing 
notice and regulators should penalize those that do not. 

The notices provided by banks, securities firms, and other covered institutions 
have been widely panned by a variety of experts for their inscrutable, dense lan- 
guage. While the banks and others have complained that the law required such de- 
tail, we respectfully disagree that the law required banks to confuse customers. 
Mark Hochhauser, readability consultant to the Privacy Rights Clearinghouse, ana- 
lyzed dozens of the initial notices: “Readability analyses of 60 financial privacy no- 
tices found that they are written at a 3rd-4th year college reading level, instead 
of the junior high school level that is recommended for materials written for the 
general public.” 18 

In response, a number of consumer and privacy groups formed a coalition to peti- 
tion the financial regulatory agencies to strengthen the notices using existing au- 
thority. Apparently in response to the petition of 26 July 2001 and other complaints, 
the agencies held a workshop in December 2001. We are unaware of significant im- 
provement to the notices in 2002. According to the petition filed by the consortium 
of consumer and privacy groups: 

In passing §§501-510 of the GLBA, Congress gave consumers the right 
to prevent financial institutions from transferring their personal financial 
information to third parties. To that end, the Act requires the institutions 
to notify customers of the right to opt-out and to provide convenient means 
of exercising it. However, in notices mailed out thus far, most financial in- 
stitutions have employed dense, misleading statements and confusing, cum- 
bersome procedures to prevent consumers from opting out. Such notices 
evince a clear failure of the Act’s implementing regulations to effectuate 
Congressional intent. Accordingly, we ask the Agencies to revise the regula- 
tions and require that financial institutions provide understandable notices 
and convenient opt-out mechanisms. 19 


15 Excerpted from pages 80-83, Federal Trade Commission, 16 CFR Part 313, Privacy Of Con- 
sumer Financial Information, Final Rule, http:/ / www.ftc.gov / os / 2000 / 05 I glb000512.pdf 

16 See the U.S. PIRG Fact Sheet, “Why The Amy Boyer Law Is A Trojan Horse” at http:/ j 
www.pirg.org / consumer / trojanhorseboyer.pdf. 

17 See for example, Testimony of FTC Commissioner Mozelle Thompson before the House 
Banking Committee, 28 July 1998, http .7 / www.ftc.gov/os/1998/9807/pretexttes.htm. 

18 See "Lost in the Fine Print: Readability of Financial Privacy Notices” by Mark Hochhauser 
at http:/ / www.privacyrights.org / ar / GLB-Reading.htm. 

19 The petition is available at http:/ / www.privacyrightsnow.com / glbpetition.pdf See the web- 
site http://www.privacyrightsnow.com for additional information about the coalition. 
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According to a smaller August 2002 California PIRG survey 20 of 10 bank privacy 
notices issued in the second year, 2002: “Most banks received a failing grade and 
the best received a “C-.” 

As for the notion that no company would seek to make notices confusing on pur- 
pose, so consumers would fail to take advantage of an opt-out right, we would en- 
courage the Committee to review a recent Federal court decision. The U.S. District 
court decision in the case Darcy Ting et al vs. AT&T describes how the long-distance 
carrier AT&T may have used consultants to help it write legal notices to its cus- 
tomers in such a way that the consumers would view an amendment to their cus- 
tomer service agreement (CSA) as a “nonevent” and not either “opt-out” of the 
change or, worse, “defect” to another carrier. The key provision reduced legal rem- 
edies (by requiring mandatory arbitration). From the district court ruling: 

22. AT&T conducted market research to assist it in developing the con- 
tract documents. One part of AT&T’s research, the Quantitative Study, in- 
cluded the following key findings and recommendations: In the letter it 
should be made clear that this agreement is being sent for informational 
purposes only. The fact that no action is required on the part of the cus- 
tomer needs to be made, (sic) . . . 

23. Another part of AT&T’s research, the Qualitative Study, concluded 
that after reading the bolded text in the cover letter which States “[p]lease 
be assured that your AT&T service or billing will not change under 
the AT&T Consumer Services Agreement; there is nothing you need 
to do,” “[a]t this point most would stop reading and discard the letter.” 
[Emphasis in original.] . . . 

. . . 24. . . . While presenting the CSA as a nonevent may have helped 
AT&T retain its customers, it also made customers less alert to the fact 
that they were being asked to give up important legal rights and remedies. 

(U.S. District court decision, Darcy Ting et al vs. AT&T 21 ) 

(3) Title V required covered firms to provide in that notice an extremely limited 
statutory consumer right to opt-out (affirmatively act to say no) to the sharing of in- 
formation with some, but not all, nonaffiliated third parties. Transactions between 
affiliates and also with many nonaffiliated third parties engaged in joint marketing 
contracts with an affiliate could continue regardless of whether or not a customer 
had chosen to “opt-out.” 

Status: Notice is not enough, nor is the limited opt-out, to satisfy the Fair Infor- 
mation Practices. The vast majority of all information-sharing with both affiliates 
and many third parties is only covering by notice, not by this limited opt-out “right.” 
The provision is inadequate and fails to even rein in the practices of the tele- 
marketers it is narrowly targeted at (see (4) below). The partial opt-out should be 
replaced by an across-the-board affirmative consent (opt-in) provision for all affiliate 
and third-party information-sharing. 

The failure of the GLBA to require any form of consumer consent for the vast ma- 
jority of information-sharing transactions affected is one example of how GLBA fails 
to meet the Fair Information Practices. 

Ideally, consumer groups believe that all privacy legislation enacted by either the 
States or the Congress should be based on Fair Information Practices, which were 
originally proposed by a Health, Education, and Welfare (HEW) task force and then 
embodied into the 1974 Privacy Act and into the 1980 Organization for Economic 
Cooperation and Development (OECD) guidelines. The 1974 Privacy Act applies to 
Government uses of information. 22 Consumer and privacy groups generally view the 
following as among the key elements of Fair Information Practices: 


20 See the CALPIRG report Privacy Denied: A Survey Of Bank Privacy Policies, 15 August 
2002, http .7 / calpirg.org / CA.asp?id2=7606&id3=CA&. 

21 See especially paragraphs 21-24 of U.S. District Judge Bernard Zimmerman’s 15 January 
2002 opinion in Darcy Ting et al vs. AT&T (Case 01-02969BZ, Northern District of California). 
Now on appeal to the 9th Circuit Court of Appeals. 

22 As originally outlined by a Health, Education, and Welfare (HEW) task force in 1973, then 
codified in U.S. statutory law in the 1974 Privacy Act and articulated internationally in the 
1980 Organization of Economic Cooperation and Development (OECD) Guidelines, information 
use should be subject to Fair Information Practices. Noted privacy expert Beth Givens of the 
Privacy Rights Clearinghouse has compiled an excellent review of the development of FIP’s, “A 
Review of the Fair Information Principles: The Foundation of Privacy Public Policy.” October 
1997. http://www.privacyrights.orglARIfairinfo.html. The document cites the version of FIP’s 
in the original HEW guidelines, as well as other versions. 
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1) Collection Limitation Principle: There should be limits to the collection of 
personal data and any such data should be obtained by lawful and fair means and, 
where appropriate, with the knowledge or consent of the data subject. 

2) Data Quality Principle: Personal data should be relevant to the purposes for 
which they are to be used, and, to the extent necessary for those purposes, should 
be accurate, complete, and kept up-to-date. 

3) Purpose Specification Principle: The purposes for which personal data are 
collected should be specified not later than at the time of data collection and the 
subsequent use limited to the fulfillment of those purposes or such others as are 
not incompatible with those purposes and as are specified on each occasion of 
change of purpose. 

4) Use Limitation Principle: Personal data should not be disclosed, made avail- 
able, or otherwise used for purposes other than those specified in accordance with 
the Purpose Specification Principle except: a) with the consent of the data subject; 
or b) by the authority of law. 

5) Security Safeguards Principle: Personal data should be protected by rea- 
sonable security safeguards against such risks as loss or unauthorized access, de- 
struction, use, modification, or disclosure of data. 

6) Openness Principle: There should be a general policy of openness about de- 
velopments, practices, and policies with respect to personal data. Means should be 
readily available of establishing the existence and nature of personal data, and the 
main purposes of their use, as well as the identity and usual residence of the data 
controller. 

7) Individual Participation Principle: An individual should have the right: a) 
to obtain from a data controller, or otherwise, confirmation of whether or not the 
data controller has data relating to him; b) to have communicated to him, data re- 
lating to him within a reasonable time; at a charge, if any, that is not excessive; 
in a reasonable manner; and in a form that is readily intelligible to him; c) to be 
given reasons if a request made under subparagraphs (a) and (b) is denied, and to 
be able to challenge such denial; and d) to challenge data relating to him and, if 
the challenge is successful to have the data erased, rectified, completed or amended. 

8) Accountability Principle: A data controller should be accountable for com- 
plying with measures which give effect to the principles stated above. 23 

Consumer groups disagree with industry organizations over whether certain self- 
regulatory or statutory schemes are adequately based on Fair Information Practices. 
Industry groups often seek to block legislation or offer substitute legislation in- 
tended to “dumb-down” the Fair Information Practices, as they were able to do with 
the GLBA. 

• First, industry groups seek to substitute a weaker opt-out choice, instead of pro- 
viding opt-in consent before secondary uses, 

• Second, industry groups claim that notice is enough. They claim that the right 

of review and correction are unnecessary. 

• Third, they contend that either agency enforcement or self-regulation is an ade- 
quate substitute for a consumer private right of action (also missing from GLBA). 

Privacy advocates and other consumer groups believe that consumers should pro- 
vide consent for all information-sharing circumstances — by and among both affili- 
ates and third parties. Second, that protection should be on an opt-in basis since 
it gives consumers control. 

How The Gramm-Leach-Bliley Act Falls Short of the 
Fair Information Practices: 

First, it fails to require any form of consent (either opt-in or opt-out) for most 
forms of information-sharing for secondary purposes, including experience and 
transaction information shared between and among either affiliates or affiliated 
third parties. 

Second, while consumers generally have access to and dispute rights over their 
account statements, they have no knowledge of, let alone rights to review or dispute, 
the development of detailed profiles on them created by financial institutions. 


23 Organization for Economic Cooperation and Development, Council Recommendations Con- 
cerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 
20 I.L.M. 422 (1981), O.E.C.D. Doc. C (80) 58 (Final) (October 1, 1980), at http :/ / www.oecd.org / 
/ dsti / sti / it / secur / prod / PRIV-EN.HTM as quoted in Gellman, “Privacy, Consumers, and Costs: 
How The Lack of Privacy Costs Consumers and Why Business Studies of Privacy Costs are Bi- 
ased and Incomplete,” March 2002, http://www.epic.org/reports/dmfprivaey.html or http:/ / 
www.cdt.org / publications / dmfprivacy.pdf 
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The Act does provide for disclosure of privacy policies, although a review of a sam- 
ple of privacy policies suggests that companies are not following the spirit of GLBA. 
See (3). None are fully explaining all their uses of information, including the devel- 
opment of consumer profiles for marketing purposes. None are listing all the types 
of affiliates that they might share information with. None are describing the specific 
products, most of which are of minimal or even negative value to consumers, that 
third-party telemarketers might offer for sale to consumers who fail to opt-out. Yet 
all the privacy policies make a point of describing how consumers who elect to opt- 
out will give up “beneficial” opportunities. 

(4) Title V attempted, through an encryption provision, to restrict the tawdry prac- 
tice of nonaffiliated telemarketers obtaining credit card numbers from banks, then 
signing consumers up for expensive “membership clubs” and billing them when the 
consumer failed to affirmatively cancel within 30 days. 

Status: As Attorneys General Hatch of Minnesota and Sorrell of Vermont have 
testified today, the telemarketers continue to find loopholes enabling them to bill 
consumers for products the consumer never ordered, using credit card numbers 
provided by the consumer’s bank, not by the consumer. Consumers do not think 
they ordered anything, when they do not hand over cash, a check, or a credit card 
number. Unfortunately, the encryption provision has codified, instead of stopped, 
the growing epidemic of anticonsumer, controversial “preacquired account tele- 
marketing.” 

In December 2000, the Minnesota Attorney General filed a new suit against Fleet 
Mortgage, an affiliate of FleetBoston, for substantially the same types of violations 
as U.S. Bank engaged in. That complaint was settled in June. The State’s complaint 
explains the problem with sharing confidential account information with third-party 
telemarketers. The complaint states that when companies obtain a credit card num- 
ber in advance, consumers lose control over the deal: 

Other than a cash purchase, providing a signed instrument or a credit 
card account number is a readily recognizable means for a consumer to sig- 
nal assent to a telemarketing deal. Preacquired account telemarketing re- 
moves these short-hand methods for the consumer to control when he or 
she has agreed to a purchase. The telemarketer with a preacquired account 
turns this process on its head. Fleet not only provides its telemarketing 
partners with the ability to charge the Fleet customer’s mortgage account, 
hut also Fleet allows the telemarketing partner to decide whether the con- 
sumer actually consented. For many consumers, withholding their credit 
card account number or signature from the telemarketer is their ultimate 
defense against unwanted charges from telemarketing calls. Fleet’s sales 
practices remove this defense. 24 

This complaint alleged that the company was providing account numbers to the 
telemarketer. In our view, either Gramm-Leach-Bliley or the FTC Telemarketing 
Sales Rule needs to be amended so that telemarketers cannot initiate the billing of 
a consumer who has not affirmatively provided his or her credit card or other ac- 
count number. Whether this case stems from pre-Gramm-Leach-Bliley acquisition of 
full account numbers, or post-Gramm-Leach-Bliley encrypted numbers or authoriza- 
tion codes, is not the question. In either case, consumers have lost control over their 
accounts. 

How do the credit card companies and the telemarketers respond to consumer 
complaints? Data from consumer complaints to U.S. PIRG and to the FTC and the 
legal complaints and accompanying materials of the State of Minnesota all show the 
following pattern: Consumers who call their credit card company to complain about 
their bills are transferred to the telemarketer, whose agents were trained to con- 
tinue to try to confuse the consumer. The telemarketer then claims that the con- 
sumer assented to the confusing trial offer by giving their “date of birth” or some 
other piece of information (but not, of course, a credit card number, let alone an “ex- 
piration date.”). Sometimes the telemarketer would play a piece of recorded tape 
from the call where the consumer had provided a date of birth — arguing that pro- 
viding your date of birth was proof that the consumer had agreed to the transaction. 
This response to complaints made about unauthorized charges was designed to con- 
vince consumers to “eat” the charge. 

Providing a date of birth in response to a trick question is not providing a credit 
card number to order a product. Preacquired account telemarketing should be 


24 28 December 2000, Complaint of State of Minnesota vs. Fleet Mortgage, see http : / / www. 
ag. state. mn.us / consumer / news / pr / Comp Fleet 122800.html. 
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banned. We are encouraged that the proposed FTC amendments to the Tele- 
marketing Sales Rule would ban preacquired account telemarketing. 25 

No bank — indeed, no firm — should be allowed to earn commissions from compa- 
nies (whether affiliated, joint marketing partners, or third-party telemarketers) that 
bill consumers for products they do not want and have not ordered, through the 
scheme known as “preacquired account telemarketing,” which eliminates a con- 
sumer’s fundamental control over her purchase decisions by allowing the consumer’s 
bank to make purchase decisions for her and bill her credit card without her knowl- 
edge or consent. 

(5) Finally, recognizing that it hadn’t really completed the job of protecting privacy 
adequately, the Congress — in an extremely rare departure from its normal policy of 
preempting State action — explicitly included a fail-safe provision allowing States to 
enforce existing and enact new stronger financial privacy laws. 

STATUS: The States’ rights fail-safe is the most important, and most successful, 
privacy protection in GLBA. We commend the Chairman for his sponsorship of the 
provision added in conference committee known as the “Sarbanes Amendment.” 
States have been very active and although not all have yet been successful, we be- 
lieve that there is a good chance that passage of strong new privacy laws in a few 
more States will provide Congress with the encouragement it needs to raise the bar 
nationally. 

Our organizations and others, including, as State Representative Jim Kasper re- 
ports today, the grassroots-based Protect Our Privacy coalition in North Dakota, 
have fought to enact stronger privacy protections in State law. While we have faced 
significant opposition from vested financial interests, we strongly believe that the 
fail-safe States’ rights’ provision of Title V is its most important provision. 

Five States have some form of “opt-in” financial privacy provisions: Alaska, Con- 
necticut, Illinois, Maryland, and Vermont. Each has laws applying to different as- 
pects of financial information. In three States, legislative repeals of stronger pre- 
GLBA legislation occurred in 2000-2001: North Dakota, Maine, and Florida. How- 
ever, in June 2002, North Dakota citizens reversed that State’s repeal action on a 
73 percent-27 percent ballot referendum vote. 26 The result of the referendum was 
reinstatement of the previous opt-in based law. Vermont is the only State that has 
a law that specifically regulates affiliate-sharing. 27 The State of Vermont is also vig- 
orously defending a lawsuit by insurance associations seeking to overturn its finan- 
cial privacy laws. 

Consumers Union, Privacy Rights Clearinghouse, California PIRG, and other 
groups have been strong supporters of proposed California legislation by State Sen- 
ator Jackie Speier. As originally introduced, SB 773 28 would have required that all 
information-sharing, whether by and between affiliates or with third parties, would 
require opt-in consent. In its final form, although still defeated in the State assem- 
bly last month, the bill would have required an opt-out for all sharing between 
either affiliates or nonaffiliated joint marketing partners (no consent protection 
under Federal law) and required an opt-in for sharing with other third parties (opt- 
out under current Federal law). 

Passage of SB 773, even in its weakened form, would have granted California con- 
sumers vastly improved financial privacy rights over current law. 

In our view, passage of such a strong bill in such a large State would have had 
a very good chance to lead to similar Federal legislation, vindicating the fail-safe 
States’ rights model adopted by GLBA. The success of the citizens of North Dakota 
and the near success of the California legislature in enacting the Speier bill, despite 
an overwhelming campaign by the industry, strongly suggest that the States’ rights 
provision of Title V has been successful and should be continued. 

We are also encouraged that extant preemption provisions in the Fair Credit Re- 
porting Act (15 USC 1681 et seq.) expire on 1 January 2004. At that time, States 
will be free to experiment with strengthening both of the core laws protecting their 
financial privacy — FCRA and GLBA. Uncertainty over the relationship between the 
FCRA’s preemption provisions and GLBA’s FCRA savings clause regarding affiliate 
sharing has helped the financial industry to successfully oppose State laws seeking 
to further regulate financial privacy. When that FCRA preemption provision expires, 


25 See 67 FR 4492 available at http: l / www.ftc.gov / os / 2002 / 01 / 16cfr3 10. pdf 

26 See the website of the North Dakota grassroots group that beat the banks 73 percent-27 
percent in a June referendum on financial privacy at http: l / www.protectourprivacy.net. 

27 Comments of 44 Attorneys General to Federal Trade Commission Regarding GLB Notices. 
February 15, 2002 (available at www.naag.org). 

28 See legislative history of SB 773 at http: // www.leginfo.ca.gov / cgi-bin / postquery?bill 

number=sb 773&sess=CUR&house=B&author=speier. 
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there will be greater clarity for legislators about States’ rights to regulate affiliated 
transactions. 

Recommendations 

(1) Strengthen GLBA 

Gramm-Leach-Bliley Act should be strengthened. Consumers should be granted 
an affirmative informed consent right (opt-in) before nonpublic personal information 
is shared with either affiliates or third parties. 

Providing informed consent and providing notice are only two of a set of Fair In- 
formation Practices that give consumers control over the use of their confidential 
information. Protection of privacy requires data collectors to adhere to all of the Fair 
Information Practices. Efforts by industry groups to “dumb-down” the Fair Informa- 
tion Practices should be resisted. 

(2) Resist Efforts to Eliminate States’ Right to Enact Stronger Laws 
Congress should resist efforts by industry lobbies to eliminate the right of States 

to pass stronger financial privacy laws. Congress should also reject proposed Federal 
legislation (H.R. 3068) and similar amendments to place a moratorium on stronger 
financial privacy laws. 

In addition, Congress should reject the specious claims of some financial industry 
lobbyists that strong State privacy laws deter homeland security. According to a 
February 2002, Associated Press story: 

The banking industry is reaching out to Homeland Security Director Tom 
Ridge and lawmakers in search of Federal help to block State consumer pri- 
vacy laws that bankers argue will hinder their efforts to spot terrorists. In- 
dustry lobbyists have been arguing that State laws that prohibit banks 
from sharing consumer information without permission might preclude 
them from alerting law enforcement to potential crimes. “We would have 
trouble communicating with law enforcement . . . and it would be ex- 
tremely chaotic. We need a uniform privacy standard,” said David Liddle 
of the Financial Services Roundtable, an industry lobby. . . ,” 29 

As far as we know, Director Tom Ridge has not dignified these requests with any 
comment. 

(3) Reject Claims That Costs of Privacy Are Too High 

We urge the Congress to reject industry claims that privacy’s costs are too high 
and its benefits too low. We have reviewed a number of presumably industry-funded 
studies purporting to make this claim and find their methodology lacking. We refer 
the Committee to an alternate study, by an independent consultant, which critiques 
the industry studies and points out numerous benefits of privacy as well as the costs 
of insufficient privacy protection. As Robert Gellman points out: 

The cost of privacy is a legitimate issue, but the studies and the conclu- 
sions drawn from them have serious flaws. ... In fact, the costs incurred 
by both business and individuals due to incomplete or insufficient privacy 
protections reach tens of billions of dollars every year. [Emphasis added.] 30 

Conclusion 

Thank you for the opportunity to provide our views before the Committee today 
on the important matter of financial privacy. You, Mr. Chairman, and other Com- 
mittee Members, especially Senator Shelby and Senator Dodd, Senate Co-Chairs of 
the Bi-Partisan Congressional Privacy Caucus, should be commended for your lead- 
ership on financial privacy. We look forward to working with you to strengthen con- 
sumer privacy rights. 


29 See “Banks Seek to Block State Privacy Laws,” 19 February 2002, Sharon Thiemer, Associ- 
ated Press. 

30 See Gellman, “Privacy, Consumers, and Costs: How The Lack of Privacy Costs Consumers 
and Why Business Studies of Privacy Costs are Biased and Incomplete,” March 2002, http :/ / 
www.epic.org/reports/dmfprivacy.html or http:/ / www.cdt.org / publications / dmfprivacy.pdf 



